Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-17742 CVE-2017-17790 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780

Path traversal when writing to a symlinked basedir outside of the rootRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000073) Improper verification of signatures in tarball allows to install mis-signed gem:RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000076) Infinite loop vulnerability due to negative size in tar header causes Denial of ServiceRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000075) Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution:The "lazy_initialize" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790) Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL:RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000077) XSS vulnerability in homepage attribute when displayed via gem serverRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000078) Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAMLRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000074) Path traversal issue during gem installation allows to write to arbitrary filesystem locationsRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000079) If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients.(CVE-2017-17742) The Dir.mktmpdir method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers "../", so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory.(CVE-2018-6914) If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.(CVE-2018-8777) String#unpack receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier @. If a big number is passed with @, the number is treated as the negative value, and out-of-buffer read is occurred. So, if a script accepts an external input as the argument of String#unpack, the attacker can read data on heaps.(CVE-2018-8778) UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.(CVE-2018-8779) Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the target directory as their parameter. If the parameter contains NUL (\0) bytes, these methods recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of these methods, the attacker can make the unintentional directory traversal.(CVE-2018-8780)

Source

ALAS-2018-983

Amazon Linux AMI Security Advisory: ALAS-2018-983
Advisory Release Date: 2018-04-04 23:18 Pacific
Advisory Updated Date: 2018-05-10 23:19 Pacific

Severity: Medium

References: CVE-2017-17742 CVE-2017-17790 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780

Issue Overview:

Path traversal when writing to a symlinked basedir outside of the root
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000073)

Improper verification of signatures in tarball allows to install mis-signed gem:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000076)

Infinite loop vulnerability due to negative size in tar header causes Denial of Service
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000075)

Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution:
The "lazy_initialize" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)

Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000077)

XSS vulnerability in homepage attribute when displayed via gem server
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000078)

Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000074)

Path traversal issue during gem installation allows to write to arbitrary filesystem locations
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. (CVE-2018-1000079)

If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients.(CVE-2017-17742)

The Dir.mktmpdir method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers "../", so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory.(CVE-2018-6914)

If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.(CVE-2018-8777)

String#unpack receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier @. If a big number is passed with @, the number is treated as the negative value, and out-of-buffer read is occurred. So, if a script accepts an external input as the argument of String#unpack, the attacker can read data on heaps.(CVE-2018-8778)

UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.(CVE-2018-8779)

Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the target directory as their parameter. If the parameter contains NUL (\0) bytes, these methods recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of these methods, the attacker can make the unintentional directory traversal.(CVE-2018-8780)

Affected Packages:

ruby20, ruby22, ruby23, ruby24

Issue Correction:
Run yum update ruby20 to update your system.
Run yum update ruby22 to update your system.
Run yum update ruby23 to update your system.
Run yum update ruby24 to update your system.

New Packages:

i686:
    ruby23-2.3.7-1.19.amzn1.i686
    rubygem23-psych-2.1.0.1-1.19.amzn1.i686
    rubygem23-io-console-0.4.5-1.19.amzn1.i686
    ruby23-devel-2.3.7-1.19.amzn1.i686
    rubygem23-bigdecimal-1.2.8-1.19.amzn1.i686
    rubygem23-json-1.8.3.1-1.19.amzn1.i686
    ruby23-libs-2.3.7-1.19.amzn1.i686
    ruby23-debuginfo-2.3.7-1.19.amzn1.i686
    rubygem24-json-2.0.4-1.30.6.amzn1.i686
    ruby24-2.4.4-1.30.6.amzn1.i686
    ruby24-libs-2.4.4-1.30.6.amzn1.i686
    ruby24-devel-2.4.4-1.30.6.amzn1.i686
    rubygem24-bigdecimal-1.3.2-1.30.6.amzn1.i686
    rubygem24-io-console-0.4.6-1.30.6.amzn1.i686
    rubygem24-xmlrpc-0.2.1-1.30.6.amzn1.i686
    rubygem24-psych-2.2.2-1.30.6.amzn1.i686
    ruby24-debuginfo-2.4.4-1.30.6.amzn1.i686
    rubygem22-bigdecimal-1.2.6-1.11.amzn1.i686
    ruby22-libs-2.2.10-1.11.amzn1.i686
    ruby22-debuginfo-2.2.10-1.11.amzn1.i686
    rubygem22-io-console-0.4.3-1.11.amzn1.i686
    ruby22-devel-2.2.10-1.11.amzn1.i686
    ruby22-2.2.10-1.11.amzn1.i686
    rubygem22-psych-2.0.8.1-1.11.amzn1.i686
    rubygem20-psych-2.0.0-1.31.amzn1.i686
    ruby20-2.0.0.648-1.31.amzn1.i686
    ruby20-debuginfo-2.0.0.648-1.31.amzn1.i686
    rubygem20-io-console-0.4.2-1.31.amzn1.i686
    ruby20-libs-2.0.0.648-1.31.amzn1.i686
    ruby20-devel-2.0.0.648-1.31.amzn1.i686
    rubygem20-bigdecimal-1.2.0-1.31.amzn1.i686

noarch:
    rubygems23-devel-2.5.2.3-1.19.amzn1.noarch
    rubygem23-did_you_mean-1.0.0-1.19.amzn1.noarch
    ruby23-doc-2.3.7-1.19.amzn1.noarch
    ruby23-irb-2.3.7-1.19.amzn1.noarch
    rubygems23-2.5.2.3-1.19.amzn1.noarch
    rubygems24-devel-2.6.14.1-1.30.6.amzn1.noarch
    ruby24-irb-2.4.4-1.30.6.amzn1.noarch
    ruby24-doc-2.4.4-1.30.6.amzn1.noarch
    rubygems24-2.6.14.1-1.30.6.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-1.30.6.amzn1.noarch
    rubygems22-2.4.5.2-1.11.amzn1.noarch
    ruby22-irb-2.2.10-1.11.amzn1.noarch
    rubygems22-devel-2.4.5.2-1.11.amzn1.noarch
    ruby22-doc-2.2.10-1.11.amzn1.noarch
    rubygems20-2.0.14.1-1.31.amzn1.noarch
    ruby20-irb-2.0.0.648-1.31.amzn1.noarch
    ruby20-doc-2.0.0.648-1.31.amzn1.noarch
    rubygems20-devel-2.0.14.1-1.31.amzn1.noarch

src:
    ruby23-2.3.7-1.19.amzn1.src
    ruby24-2.4.4-1.30.6.amzn1.src
    ruby22-2.2.10-1.11.amzn1.src
    ruby20-2.0.0.648-1.31.amzn1.src

x86_64:
    ruby23-libs-2.3.7-1.19.amzn1.x86_64
    rubygem23-psych-2.1.0.1-1.19.amzn1.x86_64
    ruby23-debuginfo-2.3.7-1.19.amzn1.x86_64
    ruby23-2.3.7-1.19.amzn1.x86_64
    rubygem23-io-console-0.4.5-1.19.amzn1.x86_64
    rubygem23-json-1.8.3.1-1.19.amzn1.x86_64
    rubygem23-bigdecimal-1.2.8-1.19.amzn1.x86_64
    ruby23-devel-2.3.7-1.19.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-1.30.6.amzn1.x86_64
    rubygem24-io-console-0.4.6-1.30.6.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-1.30.6.amzn1.x86_64
    ruby24-devel-2.4.4-1.30.6.amzn1.x86_64
    rubygem24-psych-2.2.2-1.30.6.amzn1.x86_64
    rubygem24-json-2.0.4-1.30.6.amzn1.x86_64
    ruby24-2.4.4-1.30.6.amzn1.x86_64
    ruby24-libs-2.4.4-1.30.6.amzn1.x86_64
    ruby24-debuginfo-2.4.4-1.30.6.amzn1.x86_64
    ruby22-debuginfo-2.2.10-1.11.amzn1.x86_64
    rubygem22-psych-2.0.8.1-1.11.amzn1.x86_64
    ruby22-devel-2.2.10-1.11.amzn1.x86_64
    ruby22-libs-2.2.10-1.11.amzn1.x86_64
    rubygem22-bigdecimal-1.2.6-1.11.amzn1.x86_64
    rubygem22-io-console-0.4.3-1.11.amzn1.x86_64
    ruby22-2.2.10-1.11.amzn1.x86_64
    rubygem20-bigdecimal-1.2.0-1.31.amzn1.x86_64
    ruby20-libs-2.0.0.648-1.31.amzn1.x86_64
    ruby20-2.0.0.648-1.31.amzn1.x86_64
    ruby20-devel-2.0.0.648-1.31.amzn1.x86_64
    rubygem20-io-console-0.4.2-1.31.amzn1.x86_64
    rubygem20-psych-2.0.0-1.31.amzn1.x86_64
    ruby20-debuginfo-2.0.0.648-1.31.amzn1.x86_64

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ALAS-2018-983

ALAS-2018-983

Vulmon Search

About

Products

Connect