Vulnerability Details : CVE-2018-1000077
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.
Vulnerability category: Input validation
Products affected by CVE-2018-1000077
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1000077
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1000077
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2018-1000077
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000077
-
https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
[SECURITY] [DLA 1336-1] rubygems security updateThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0542
RHSA-2020:0542 - Security Advisory - Red Hat Customer Portal
-
https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
[SECURITY] [DLA 1358-1] ruby1.9.1 security update
-
https://usn.ubuntu.com/3621-1/
USN-3621-1: Ruby vulnerabilities | Ubuntu security notices
-
http://blog.rubygems.org/2018/02/15/2.7.6-released.html
2.7.6 Released - RubyGems BlogVendor Advisory
-
https://www.debian.org/security/2018/dsa-4259
Debian -- Security Information -- DSA-4259-1 ruby2.3
-
https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
[SECURITY] [DLA 1337-1] jruby security updateThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3731
RHSA-2018:3731 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2018:3729
RHSA-2018:3729 - Security Advisory - Red Hat Customer Portal
-
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
[SECURITY] [DLA 1421-1] ruby2.1 security update
-
https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964
Enforce URL validation on spec homepage attribute · rubygems/rubygems@feadefc · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0591
RHSA-2020:0591 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2018:3730
RHSA-2018:3730 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
[security-announce] openSUSE-SU-2019:1771-1: important: Security update
-
https://access.redhat.com/errata/RHSA-2020:0663
RHSA-2020:0663 - Security Advisory - Red Hat Customer Portal
-
https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
[SECURITY] [DLA 1796-1] jruby security update
-
https://www.debian.org/security/2018/dsa-4219
Debian -- Security Information -- DSA-4219-1 jruby
-
https://access.redhat.com/errata/RHSA-2019:2028
RHSA-2019:2028 - Security Advisory - Red Hat Customer Portal
Jump to