#VU8815 Deserialization of untrusted data in RubyGems - CVE-2017-0903
Published: October 13, 2017
Vulnerability identifier: #VU8815
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-0903
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
RubyGems
RubyGems
Software vendor:
Ruby
Ruby
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to YAML deserialization of gem specifications. A remote attacker can inject an instance of specially crafted serialized objects, gain elevated privileges and execute arbitrary Ruby code on RubyGems.org.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to YAML deserialization of gem specifications. A remote attacker can inject an instance of specially crafted serialized objects, gain elevated privileges and execute arbitrary Ruby code on RubyGems.org.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to version 2.6.14.