Zero-friction vulnerability management platform

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Debian LTS Advisory ([SECURITY] [DLA 1336-1] rubygems security update)

Information

Severity

Severity

High

Family

Family

Debian Local Security Checks

CVSSv2 Base

CVSSv2 Base

7.5

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution Type

Solution Type

Vendor Patch

Created

Created

4 years ago

Modified

Modified

3 years ago

Summary

Multiple vulnerabilities were found in rubygems, a package management framework for Ruby. CVE-2018-1000075 A negative size vulnerability in ruby gem package tar header that could cause an infinite loop. CVE-2018-1000076 Ruby gems package improperly verifies cryptographic signatures. A mis-signed gem could be installed if the tarball contains multiple gem signatures. CVE-2018-1000077 An improper input validation vulnerability in ruby gems specification homepage attribute could allow malicious gem to set an invalid homepage URL. CVE-2018-1000078 Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute

Affected Software

Affected Software

rubygems on Debian Linux

Detection Method

Detection Method

This check tests the installed software version using the apt package manager.

Solution

Solution

For Debian 7 'Wheezy', these problems have been fixed in version 1.8.24-1+deb7u2. We recommend that you upgrade your rubygems packages.

Common Vulnerabilities and Exposures (CVE)