CVE-2017-0903
Public on 2017-10-02
Modified on 2018-03-23
Description
A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | ruby22 | 2017-10-02 | ALAS-2017-906 | Fixed |
| Amazon Linux 1 | ruby22 | 2018-03-21 | ALAS-2018-978 | Fixed |
| Amazon Linux 1 | ruby23 | 2017-10-02 | ALAS-2017-906 | Fixed |
| Amazon Linux 1 | ruby23 | 2018-03-21 | ALAS-2018-978 | Fixed |
| Amazon Linux 1 | ruby24 | 2017-10-26 | ALAS-2017-915 | Fixed |
| Amazon Linux 1 | ruby24 | 2018-03-21 | ALAS-2018-978 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.6 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
| NVD | CVSSv2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |