RubySec

Providing security resources for the Ruby community

CVE-2017-0903 (rubygems-update): Unsafe Object Deserialization Vulnerability in RubyGems

ADVISORIES

GEM

rubygems-update

SEVERITY

CVSS v2: 7.5

UNAFFECTED VERSIONS

  • < 2.0.0

PATCHED VERSIONS

  • >= 2.6.14

DESCRIPTION

There is a possible unsafe object deserialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.