|Description||RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|ruby2.3 (PTS)||stretch (security), stretch||2.3.3-1+deb9u2||fixed|
The information below is based on the following data on fixed versions.
[wheezy] - ruby1.9.1 <not-affected> (Vulnerable code introduced later)
[wheezy] - rubygems <not-affected> (Vulnerable code introduced later)
Fixed by: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49