CVE-2017-0903 RubyGems Remote Code Execution Vulnerability

漏洞类别:Local

漏洞等级:

漏洞信息

RubyGems is a package management framework for Ruby.

RubyGems is prone to remote code-execution vulnerability since YAML deserialization of gem specifications can bypass class white lists. An attacker can exploit this issue to execute arbitrary code within the context of the affected system.

Affected Versions:
RubyGems between 2.0.0 and 2.6.13

QID Detection Logic:
This authenticated QID matches the vulnerable Ruby Gem version by running gem -v.

漏洞危害

Successful execution allows an attacker to execute arbitrary code on a targeted system.

解决方案

Customers are advised to upgrade to RubyGems 2.6.14 to remediate this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RubyGems 2.6.14

Leave a Reply