CVE-2017-0899

Published: August 31, 2023Last modified: August 31, 2023

Description

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

Severity score breakdown

Status

References

• http://blog.rubygems.org/2017/08/27/2.6.13-released.html
• http://www.securityfocus.com/bid/100576
• http://www.securitytracker.com/id/1039249
• https://access.redhat.com/errata/RHSA-2017:3485
• https://access.redhat.com/errata/RHSA-2018:0378
• https://access.redhat.com/errata/RHSA-2018:0583
• https://access.redhat.com/errata/RHSA-2018:0585
• https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
• https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
• https://hackerone.com/reports/226335
• https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
• https://security.gentoo.org/glsa/201710-01
• https://www.debian.org/security/2017/dsa-3966