CVE-2018-1000079

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.

Published: Mar 13, 2018
Updated: May 9, 2024
CVE: CVE-2018-1000079
GHSA: GHSA-8qxg-mff5-j3wc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
rubygems / rubygems	-	2.2.9.x
rubygems / rubygems	-	2.3.6.x
rubygems / rubygems	-	2.4.3.x
rubygems / rubygems	-	2.5.0.x
rubygems-update	-	2.7.6
org.jruby / jruby-stdlib	-	9.1.16.0

Vulnerability Database

289,697

CVE-2018-1000079