Required CVE Record Information
Description
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
References 14 Total
- debian.org: DSA-4219 vendor-advisory
- usn.ubuntu.com: USN-3621-1 vendor-advisory
- access.redhat.com: RHSA-2018:3729 vendor-advisory
- access.redhat.com: RHSA-2018:3730 vendor-advisory
- access.redhat.com: RHSA-2018:3731 vendor-advisory
- https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
- lists.debian.org: [debian-lts-announce] 20180827 [SECURITY] [DLA 1480-1] ruby2.1 security update mailing-list
- debian.org: DSA-4259 vendor-advisory
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- lists.opensuse.org: openSUSE-SU-2019:1771 vendor-advisory
- access.redhat.com: RHSA-2019:2028 vendor-advisory
- access.redhat.com: RHSA-2020:0542 vendor-advisory
- access.redhat.com: RHSA-2020:0591 vendor-advisory
- access.redhat.com: RHSA-2020:0663 vendor-advisory
Updated:
This container includes required additional information provided by the CVE Program for this vulnerability.
References 14 Total
- debian.org: DSA-4219 vendor-advisoryx_transferred
- usn.ubuntu.com: USN-3621-1 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2018:3729 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2018:3730 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2018:3731 vendor-advisoryx_transferred
- https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2 x_transferred
- lists.debian.org: [debian-lts-announce] 20180827 [SECURITY] [DLA 1480-1] ruby2.1 security update mailing-listx_transferred
- debian.org: DSA-4259 vendor-advisoryx_transferred
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html x_transferred
- lists.opensuse.org: openSUSE-SU-2019:1771 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2019:2028 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2020:0542 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2020:0591 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2020:0663 vendor-advisoryx_transferred