CVE-2017-0903

critical

Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

References

Advisories
More

https://www.debian.org/security/2017/dsa-4031

https://usn.ubuntu.com/3685-1/

https://usn.ubuntu.com/3553-1/

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

https://hackerone.com/reports/274990

https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

https://access.redhat.com/errata/RHSA-2018:0585

https://access.redhat.com/errata/RHSA-2018:0583

https://access.redhat.com/errata/RHSA-2018:0378

https://access.redhat.com/errata/RHSA-2017:3485

http://www.securityfocus.com/bid/101275

http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

http://blog.rubygems.org/2017/10/09/2.6.14-released.html

Details

Source: Mitre, NVD

Published: 2017-10-11

Updated: 2025-04-20

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.07294