{"containers": {"cna": {"affected": [{"product": "RubyGems", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "Versions before 2.6.13"}]}], "datePublic": "2017-08-27T00:00:00", "descriptions": [{"lang": "en", "value": "RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-150", "description": "Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-07-14T09:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"name": "RHSA-2018:0585", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0585"}, {"name": "DSA-3966", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-3966"}, {"name": "RHSA-2018:0378", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0378"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/226335"}, {"name": "1039249", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039249"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491"}, {"name": "RHSA-2017:3485", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:3485"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "RHSA-2018:0583", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0583"}, {"name": "GLSA-201710-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201710-01"}, {"name": "100576", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100576"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2017-08-27T00:00:00", "ID": "CVE-2017-0899", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RubyGems", "version": {"version_data": [{"version_value": "Versions before 2.6.13"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:0585", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0585"}, {"name": "DSA-3966", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-3966"}, {"name": "RHSA-2018:0378", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0378"}, {"name": "https://hackerone.com/reports/226335", "refsource": "MISC", "url": "https://hackerone.com/reports/226335"}, {"name": "1039249", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039249"}, {"name": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1"}, {"name": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491"}, {"name": "RHSA-2017:3485", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:3485"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "RHSA-2018:0583", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0583"}, {"name": "GLSA-201710-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201710-01"}, {"name": "100576", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100576"}, {"name": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html", "refsource": "MISC", "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T13:25:16.395Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:0585", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0585"}, {"name": "DSA-3966", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-3966"}, {"name": "RHSA-2018:0378", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0378"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/226335"}, {"name": "1039249", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1039249"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491"}, {"name": "RHSA-2017:3485", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:3485"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "RHSA-2018:0583", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0583"}, {"name": "GLSA-201710-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201710-01"}, {"name": "100576", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100576"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-0899", "datePublished": "2017-08-31T20:00:00Z", "dateReserved": "2016-11-30T00:00:00", "dateUpdated": "2024-09-17T02:20:54.846Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "1161B0D8-43B3-4123-BD4F-87F260AB8947", "versionEndIncluding": "2.6.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "D99A687E-EAE6-417E-A88E-D0082BC194CD", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "D5F7E11E-FB34-4467-8919-2B6BEAABF665", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences."}, {"lang": "es", "value": "RubyGems 2.6.12 y anteriores es vulnerable a especificaciones de gemas manipuladas maliciosamente que incluyen caracteres de escapada de terminal. Imprimir la especificaci\u00f3n de las gemas ejecutar\u00eda secuencias de escapada de terminal."}], "id": "CVE-2017-0899", "lastModified": "2019-10-09T23:21:09.713", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-31T20:29:00.417", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100576"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039249"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:3485"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0378"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0583"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0585"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://hackerone.com/reports/226335"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201710-01"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-3966"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-150"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2018:0378", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "ruby-0:2.0.0.648-33.el7_4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2018-02-28T00:00:00Z"}, {"advisory": "RHSA-2017:3485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby24-ruby-0:2.4.2-86.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2017-12-19T00:00:00Z"}, {"advisory": "RHSA-2018:0583", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby22-ruby-0:2.2.9-19.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2018:0585", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby23-ruby-0:2.3.6-67.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2017:3485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby24-ruby-0:2.4.2-86.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2017-12-19T00:00:00Z"}, {"advisory": "RHSA-2018:0583", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby22-ruby-0:2.2.9-19.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2018:0585", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby23-ruby-0:2.3.6-67.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2017:3485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.2-86.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2017-12-19T00:00:00Z"}, {"advisory": "RHSA-2018:0583", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby22-ruby-0:2.2.9-19.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2018:0585", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.6-67.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2017:3485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.2-86.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date": "2017-12-19T00:00:00Z"}, {"advisory": "RHSA-2018:0583", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby22-ruby-0:2.2.9-19.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2018:0585", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.6-67.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2017:3485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.2-86.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2017-12-19T00:00:00Z"}, {"advisory": "RHSA-2018:0583", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby22-ruby-0:2.2.9-19.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2018-03-26T00:00:00Z"}, {"advisory": "RHSA-2018:0585", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.6-67.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2018-03-26T00:00:00Z"}], "bugzilla": {"description": "rubygems: Escape sequence in the \"summary\" field of gemspec", "id": "1487590", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1487590"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-138", "details": ["RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.", "A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences."], "name": "CVE-2017-0899", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "rubygems", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Under investigation", "package_name": "rubygems", "product_name": "Red Hat Enterprise MRG 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Under investigation", "package_name": "rubygems", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Under investigation", "package_name": "ruby193-rubygems", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2017-08-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-0899\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-0899\nhttp://blog.rubygems.org/2017/08/27/2.6.13-released.html"], "statement": "This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 6, and 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low", "upstream_fix": "ruby 2.4.2, ruby 2.2.8, ruby 2.3.5, rubygems 2.6.13"}