Vulnerability Details : CVE-2017-0900
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2017-0900
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-0900
2.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-0900
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-0900
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-0900
-
https://access.redhat.com/errata/RHSA-2017:3485
RHSA-2017:3485 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1039249
Ruby Flaws in RubyGems Let Remote Users Hijack the DNS and Overwrite Files and Let Local Users Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
[SECURITY] [DLA 1421-1] ruby2.1 security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2017/dsa-3966
Debian -- Security Information -- DSA-3966-1 ruby2.3Third Party Advisory
-
https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251
Truncate summaries to 100,000 characters in the query command · rubygems/rubygems@8a38a4f · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0585
RHSA-2018:0585 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://hackerone.com/reports/243003
#243003 No limit of summary length allows Denail of ServiceExploit;Third Party Advisory
-
http://www.securityfocus.com/bid/100579
RubyGems CVE-2017-0900 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
http://blog.rubygems.org/2017/08/27/2.6.13-released.html
2.6.13 Released - RubyGems BlogPatch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:0378
RHSA-2018:0378 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0583
RHSA-2018:0583 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201710-01
RubyGems: Multiple vulnerabilities (GLSA 201710-01) — Gentoo securityThird Party Advisory
Jump to