RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2017-10-11T18:00:00Z

Updated: 2024-09-17T03:54:57.184Z

Reserved: 2016-11-30T00:00:00

Link: CVE-2017-0903

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2017-10-11T18:29:00.583

Modified: 2024-11-21T03:03:51.800

Link: CVE-2017-0903

cve-icon Redhat

Severity : Moderate

Publid Date: 2017-10-10T00:00:00Z

Links: CVE-2017-0903 - Bugzilla