CVE-2018-1000075

{"id": "CVE-2018-1000075", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-03-13T15:29:00.550", "references": [{"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:3729", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:3730", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:3731", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2019:2028", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0542", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0591", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0663", "source": "cve@mitre.org"}, {"url": "https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html", "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html", "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html", "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/3621-1/", "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2018/dsa-4219", "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2018/dsa-4259", "source": "cve@mitre.org"}, {"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2018:3729", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2018:3730", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2018:3731", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2019:2028", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0542", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0591", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0663", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://usn.ubuntu.com/3621-1/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2018/dsa-4219", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2018/dsa-4259", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6."}, {"lang": "es", "value": "Las versiones de RubyGems de la serie Ruby 2.2: 2.2.9 y anteriores, de la serie Ruby 2.3: 2.3.6 y anteriores, de la serie Ruby 2.4: 2.4.3 y anteriores, y de la serie Ruby 2.5: versiones 2.5.0 y anteriores, anteriores a la revisi\u00f3n del trunk 62422 contiene un bucle infinito provocado por una vulnerabilidad de tama\u00f1o negativo en la cabecera tar del paquete de ruby gem que puede resultar en un tama\u00f1o negativo que desemboque en un bucle infinito. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 2.7.6."}], "lastModified": "2024-11-21T03:39:34.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEE89FF0-0079-4DF5-ACFC-E1B5415E54F4", "versionEndIncluding": "2.2.9"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8080FB82-5445-4A17-9ECB-806991906E80", "versionEndIncluding": "2.3.6"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCBC38C5-781E-4998-877D-42265F1DBD05", "versionEndIncluding": "2.4.3"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6ACE6376-2E27-4F56-9315-03367963DB09", "versionEndIncluding": "2.5.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}