|Description||RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|References||DLA-1421-1, DSA-4219-1, DSA-4259-1|
Vulnerable and fixed packages
The table below lists information on source packages.
|jruby (PTS)||stretch (security), stretch||1.7.26-1+deb9u1||fixed|
|bullseye, sid, buster||126.96.36.199-3||fixed|
|ruby2.3 (PTS)||stretch (security), stretch||2.3.3-1+deb9u7||fixed|
The information below is based on the following data on fixed versions.
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
[wheezy] - rubygems <not-affected> (Vulnerable code not present)
[jessie] - jruby <not-affected> (Vulnerable code not present)
[wheezy] - jruby <not-affected> (Vulnerable code not present)