RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-1000073 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of rubygems as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue affects the versions of rubygems as shipped with Red Hat Satellite version 6 on Red Hat Enterprise Linux version 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS3 Base Score | 5.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Attack Vector | Local |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity Impact | High |
Availability Impact | None |
Platform | Errata | Release Date |
---|---|---|
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby24-ruby) | RHSA-2018:3730 | 2018-11-29 |
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby23-ruby) | RHSA-2018:3729 | 2018-11-29 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby23-ruby) | RHSA-2018:3729 | 2018-11-29 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby24-ruby) | RHSA-2018:3730 | 2018-11-29 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby25-ruby) | RHSA-2018:3731 | 2018-11-29 |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | ruby193-rubygems | Will not fix |
Red Hat Satellite 6 | rubygems | Will not fix |
Red Hat Enterprise MRG 2 | rubygems | Will not fix |
Red Hat Enterprise Linux 7 | ruby | Affected |
Red Hat Enterprise Linux 6 | rubygems | Will not fix |