{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-02-18T00:00:00", "datePublic": "2018-03-13T00:00:00", "descriptions": [{"lang": "en", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-03T18:06:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-4219", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4219"}, {"name": "USN-3621-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3621-1/"}, {"name": "RHSA-2018:3729", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3729"}, {"name": "RHSA-2018:3730", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3730"}, {"name": "[debian-lts-announce] 20180423 [SECURITY] [DLA 1358-1] ruby1.9.1 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"}, {"name": "RHSA-2018:3731", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3731"}, {"name": "[debian-lts-announce] 20180402 [SECURITY] [DLA 1337-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "DSA-4259", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4259"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693"}, {"name": "[debian-lts-announce] 20180401 [SECURITY] [DLA 1336-1] rubygems security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"}, {"name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1796-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"}, {"name": "openSUSE-SU-2019:1771", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "RHSA-2019:2028", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2028"}, {"name": "RHSA-2020:0542", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0542"}, {"name": "RHSA-2020:0591", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0591"}, {"name": "RHSA-2020:0663", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0663"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2/18/2018 8:04:21", "ID": "CVE-2018-1000076", "REQUESTER": "craig.ingram@salesforce.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-4219", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4219"}, {"name": "USN-3621-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3621-1/"}, {"name": "RHSA-2018:3729", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3729"}, {"name": "RHSA-2018:3730", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3730"}, {"name": "[debian-lts-announce] 20180423 [SECURITY] [DLA 1358-1] ruby1.9.1 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"}, {"name": "RHSA-2018:3731", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3731"}, {"name": "[debian-lts-announce] 20180402 [SECURITY] [DLA 1337-1] jruby security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "DSA-4259", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4259"}, {"name": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html", "refsource": "MISC", "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"}, {"name": "https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693", "refsource": "MISC", "url": "https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693"}, {"name": "[debian-lts-announce] 20180401 [SECURITY] [DLA 1336-1] rubygems security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"}, {"name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1796-1] jruby security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"}, {"name": "openSUSE-SU-2019:1771", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "RHSA-2019:2028", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2028"}, {"name": "RHSA-2020:0542", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0542"}, {"name": "RHSA-2020:0591", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0591"}, {"name": "RHSA-2020:0663", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0663"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.167Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-4219", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4219"}, {"name": "USN-3621-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3621-1/"}, {"name": "RHSA-2018:3729", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3729"}, {"name": "RHSA-2018:3730", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3730"}, {"name": "[debian-lts-announce] 20180423 [SECURITY] [DLA 1358-1] ruby1.9.1 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"}, {"name": "RHSA-2018:3731", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3731"}, {"name": "[debian-lts-announce] 20180402 [SECURITY] [DLA 1337-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "DSA-4259", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4259"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693"}, {"name": "[debian-lts-announce] 20180401 [SECURITY] [DLA 1336-1] rubygems security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"}, {"name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1796-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"}, {"name": "openSUSE-SU-2019:1771", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "RHSA-2019:2028", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2028"}, {"name": "RHSA-2020:0542", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0542"}, {"name": "RHSA-2020:0591", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0591"}, {"name": "RHSA-2020:0663", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0663"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000076", "datePublished": "2018-03-13T15:00:00", "dateReserved": "2018-02-21T00:00:00", "dateUpdated": "2024-08-05T12:33:49.167Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEE89FF0-0079-4DF5-ACFC-E1B5415E54F4", "versionEndIncluding": "2.2.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "8080FB82-5445-4A17-9ECB-806991906E80", "versionEndIncluding": "2.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "CCBC38C5-781E-4998-877D-42265F1DBD05", "versionEndIncluding": "2.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "6ACE6376-2E27-4F56-9315-03367963DB09", "versionEndIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6."}, {"lang": "es", "value": "Las versiones de RubyGems de la serie Ruby 2.2: 2.2.9 y anteriores, de la serie Ruby 2.3: 2.3.6 y anteriores, de la serie Ruby 2.4: 2.4.3 y anteriores, y de la serie Ruby 2.5: versiones 2.5.0 y anteriores, anteriores a la revisi\u00f3n del trunk 62422 contiene una vulnerabilidad de verificaci\u00f3n incorrecta de firma criptogr\u00e1fica en package.rb que puede resultar en la instalaci\u00f3n de una gema mal firmada, ya que tarball contendr\u00eda m\u00faltiples firmas de gema. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 2.7.6."}], "id": "CVE-2018-1000076", "lastModified": "2024-11-21T03:39:35.100", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-13T15:29:00.613", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:3729"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:3730"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:3731"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2028"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0542"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0591"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0663"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3621-1/"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2018/dsa-4219"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2018/dsa-4259"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2018:3729"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2018:3730"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2018:3731"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:2028"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2020:0542"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2020:0591"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2020:0663"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/3621-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2018/dsa-4219"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2018/dsa-4259"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:2028", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "ruby-0:2.0.0.648-36.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:0591", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "ruby-0:2.0.0.648-35.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0591", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "ruby-0:2.0.0.648-35.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0591", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "ruby-0:2.0.0.648-35.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0542", "cpe": "cpe:/o:redhat:rhel_eus:7.5", "package": "ruby-0:2.0.0.648-35.el7_5", "product_name": "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date": "2020-02-19T00:00:00Z"}, {"advisory": "RHSA-2020:0663", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "ruby-0:2.0.0.648-36.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2020-03-03T00:00:00Z"}, {"advisory": "RHSA-2018:3729", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby23-ruby-0:2.3.8-69.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3730", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby24-ruby-0:2.4.5-91.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3729", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.8-69.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3730", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.5-91.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3731", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3729", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.8-69.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3730", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.5-91.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3731", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3729", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.8-69.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3730", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.5-91.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3731", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3729", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.8-69.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3730", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.5-91.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2018-11-29T00:00:00Z"}, {"advisory": "RHSA-2018:3731", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2018-11-29T00:00:00Z"}], "bugzilla": {"description": "rubygems: Improper verification of signatures in tarball allows to install mis-signed gem", "id": "1547421", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547421"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-347", "details": ["RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6."], "name": "CVE-2018-1000076", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "rubygems", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Will not fix", "package_name": "rubygems", "product_name": "Red Hat Enterprise MRG 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "rubygems", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygems", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2018-02-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1000076\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000076\nhttps://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/"], "statement": "This issue affects the versions of rubygems as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\nThis issue affects the versions of rubygems as shipped with Red Hat Satellite version 6 on Red Hat Enterprise Linux version 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate"}