CVE-2017-0899

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
References
Link Resource
http://blog.rubygems.org/2017/08/27/2.6.13-released.html Patch Vendor Advisory
http://www.securityfocus.com/bid/100576 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039249 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:3485 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0378 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0583 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0585 Third Party Advisory
https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1 Patch Third Party Advisory
https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491 Patch Third Party Advisory
https://hackerone.com/reports/226335 Exploit Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201710-01 Third Party Advisory
https://www.debian.org/security/2017/dsa-3966 Third Party Advisory
http://blog.rubygems.org/2017/08/27/2.6.13-released.html Patch Vendor Advisory
http://www.securityfocus.com/bid/100576 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039249 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:3485 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0378 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0583 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0585 Third Party Advisory
https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1 Patch Third Party Advisory
https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491 Patch Third Party Advisory
https://hackerone.com/reports/226335 Exploit Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201710-01 Third Party Advisory
https://www.debian.org/security/2017/dsa-3966 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:03

Type Values Removed Values Added
References () http://blog.rubygems.org/2017/08/27/2.6.13-released.html - Patch, Vendor Advisory () http://blog.rubygems.org/2017/08/27/2.6.13-released.html - Patch, Vendor Advisory
References () http://www.securityfocus.com/bid/100576 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/100576 - Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1039249 - Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1039249 - Third Party Advisory, VDB Entry
References () https://access.redhat.com/errata/RHSA-2017:3485 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2017:3485 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2018:0378 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:0378 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2018:0583 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:0583 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2018:0585 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:0585 - Third Party Advisory
References () https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1 - Patch, Third Party Advisory () https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1 - Patch, Third Party Advisory
References () https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491 - Patch, Third Party Advisory () https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491 - Patch, Third Party Advisory
References () https://hackerone.com/reports/226335 - Exploit, Patch, Third Party Advisory () https://hackerone.com/reports/226335 - Exploit, Patch, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html - Mailing List, Third Party Advisory
References () https://security.gentoo.org/glsa/201710-01 - Third Party Advisory () https://security.gentoo.org/glsa/201710-01 - Third Party Advisory
References () https://www.debian.org/security/2017/dsa-3966 - Third Party Advisory () https://www.debian.org/security/2017/dsa-3966 - Third Party Advisory

Information

Published : 2017-08-31 20:29

Updated : 2024-11-21 03:03


NVD link : CVE-2017-0899

Mitre link : CVE-2017-0899

CVE.ORG link : CVE-2017-0899


JSON object : View

Products Affected

redhat

  • enterprise_linux_server_aus
  • enterprise_linux_server_tus
  • enterprise_linux_workstation
  • enterprise_linux_server_eus
  • enterprise_linux_desktop
  • enterprise_linux_server

debian

  • debian_linux

rubygems

  • rubygems
CWE
CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

CWE-94

Improper Control of Generation of Code ('Code Injection')