#VU8056 Security restrictions bypass in RubyGems - CVE-2017-0899

Cybersecurity Help s.r.o.

Published: 2017-08-31

Vulnerability identifier: #VU8056

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-0899

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
RubyGems
Universal components / Libraries / Libraries used by multiple products

Vendor: Ruby

Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to unknown error. A remote attacker can escape ANSI.

Mitigation
Update to version 2.6.13.

Vulnerable software versions

RubyGems: 2.2.0 - 2.4.1

External links
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell EMC Data Protection Search

Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance

Security restrictions bypass in prayer (Alpine package)

Red Hat Software Collections update for rh-ruby23-ruby

Red Hat Software Collections update for rh-ruby22-ruby

Red Hat update for ruby

Amazon Linux AMI update for ruby24

Gentoo update for RubyGems

Ubuntu update for Ruby