NotCVE - vendor:"Rubygems" product:"Rubygems" version:" >= 2.6.0 <= 3.0.2"

Page 3 of 12 results (0.005 seconds)

CVSS: 9.8EPSS: 2%CPEs: 13EXPL: 1

CVE-2017-0899 – rubygems: Escape sequence in the "summary" field of gemspec

https://notcve.org/view.php?id=CVE-2017-0899

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. RubyGems 2.6.12 y anteriores es vulnerable a especificaciones de gemas manipuladas maliciosamente que incluyen caracteres de escapada de terminal. Imprimir la especificación de las gemas ejecutaría secuencias de escapada de terminal. A vulnerability was found where rubygems did not properly sanitize gems' specification text. • http://blog.rubygems.org/2017/08/27/2.6.13-released.html http://www.securityfocus.com/bid/100576 http://www.securitytracker.com/id/1039249 https://access.redhat.com/errata/RHSA-2017:3485 https://access.redhat.com/errata/RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0585 https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1 https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491 https • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-138: Improper Neutralization of Special Elements CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •

CVSS: 8.1EPSS: 0%CPEs: 16EXPL: 2

CVE-2017-0902 – rubygems: DNS hijacking vulnerability

https://notcve.org/view.php?id=CVE-2017-0902

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. RubyGems 2.6.12 y anteriores es vulnerable a secuestro de DNS, lo que permite a un atacante Man-in-the-Middle (MitM) forzar el cliente RubyGems a que descargue e instale gemas desde un servidor que está bajo el control del atacante. A vulnerability was found where rubygems did not sanitize DNS responses when requesting the hostname of the rubygems server for a domain, via a _rubygems._tcp DNS SRV query. An attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain. • http://blog.rubygems.org/2017/08/27/2.6.13-released.html http://www.securityfocus.com/bid/100586 http://www.securitytracker.com/id/1039249 https://access.redhat.com/errata/RHSA-2017:3485 https://access.redhat.com/errata/RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0585 https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32 https://hackerone.com/reports/218088 https://lists.debian.org/debian- • CWE-138: Improper Neutralization of Special Elements CWE-346: Origin Validation Error CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action •

1 2 3