Unsafe Object Deserialization Vulnerability in RubyGems
Published: October 09, 2017
SECURITY IDENTIFIERS
- CVE: CVE-2017-0903 (NVD)
- GHSA: GHSA-mqwr-4qf2-2hcv
- Vendor Advisory: https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
GEM
LIBRARY
SEVERITY
UNAFFECTED VERSIONS
< 2.0.0
PATCHED VERSIONS
>= 2.6.14
DESCRIPTION
There is a possible unsafe object deserialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.