Vulnerability Details : CVE-2017-0902
Potential exploit
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
Products affected by CVE-2017-0902
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-0902
3.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-0902
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2017-0902
-
The product does not properly verify that the source of data or communication is valid.Assigned by: nvd@nist.gov (Primary)
-
The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Assigned by: support@hackerone.com (Secondary)
References for CVE-2017-0902
-
https://access.redhat.com/errata/RHSA-2017:3485
RHSA-2017:3485 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32
[RemoteFetcher] Avoid DNS Hijacking Vulnerability · rubygems/rubygems@8d91516 · GitHubExploit;Patch;Third Party Advisory
-
https://usn.ubuntu.com/3553-1/
USN-3553-1: Ruby vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securityfocus.com/bid/100586
RubyGems CVE-2017-0902 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1039249
Ruby Flaws in RubyGems Let Remote Users Hijack the DNS and Overwrite Files and Let Local Users Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
[SECURITY] [DLA 1421-1] ruby2.1 security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2017/dsa-3966
Debian -- Security Information -- DSA-3966-1 ruby2.3Third Party Advisory
-
https://hackerone.com/reports/218088
#218088 Request Hijacking Vulnerability in RubyGems 2.6.11 and earlierExploit;Issue Tracking;Third Party Advisory
-
https://usn.ubuntu.com/3685-1/
USN-3685-1: Ruby vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0585
RHSA-2018:0585 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://blog.rubygems.org/2017/08/27/2.6.13-released.html
2.6.13 Released - RubyGems BlogPatch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:0378
RHSA-2018:0378 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0583
RHSA-2018:0583 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201710-01
RubyGems: Multiple vulnerabilities (GLSA 201710-01) — Gentoo securityThird Party Advisory
Jump to