Vulnerability Details : CVE-2017-0903
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
Vulnerability category: Execute code
Products affected by CVE-2017-0903
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.0.preiew.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.0.rc.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.0.rc.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.0.rc.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.11:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-0903
13.51%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-0903
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-0903
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)
References for CVE-2017-0903
-
https://access.redhat.com/errata/RHSA-2017:3485
RHSA-2017:3485 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.debian.org/security/2017/dsa-4031
Debian -- Security Information -- DSA-4031-1 ruby2.3Third Party Advisory
-
https://usn.ubuntu.com/3553-1/
USN-3553-1: Ruby vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
[SECURITY] [DLA 1421-1] ruby2.1 security updateMailing List;Third Party Advisory
-
https://hackerone.com/reports/274990
#274990 Remote code execution on rubygems.orgThird Party Advisory
-
https://usn.ubuntu.com/3685-1/
USN-3685-1: Ruby vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securityfocus.com/bid/101275
RubyGems CVE-2017-0903 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:0585
RHSA-2018:0585 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0378
RHSA-2018:0378 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
Unsafe Object Deserialization Vulnerability in RubyGems - RubyGems BlogVendor Advisory
-
http://blog.rubygems.org/2017/10/09/2.6.14-released.html
2.6.14 Released - RubyGems BlogVendor Advisory
-
https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
Whitelist classes and symbols that are in Gem spec YAML · rubygems/rubygems@510b163 · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0583
RHSA-2018:0583 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to