CVE-2017-0899
CRITICAL9.8EPSS 9.3%RubyGems Code Injection vulnerability
Published: 5/13/2022Modified: 4/28/2026
Description
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
Affected packages (3)
- Alpine/rubyfrom 0, < 2.4.2-r0
- Debian/rubygemsfrom 0, < 3.2.0~rc.1-1
- RubyGems/rubygems-updatefrom 0, < 2.6.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (17)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-0899
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2017-0899
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-0899
- PATCHhttps://github.com/rubygems/rubygems
- WEBhttp://blog.rubygems.org/2017/08/27/2.6.13-released.html
- WEBhttps://access.redhat.com/errata/RHSA-2017:3485
- WEBhttps://access.redhat.com/errata/RHSA-2018:0378
- WEBhttps://access.redhat.com/errata/RHSA-2018:0583
- WEBhttps://access.redhat.com/errata/RHSA-2018:0585
- WEBhttps://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1
- WEBhttps://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491
- WEBhttps://hackerone.com/reports/226335
- WEBhttps://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- WEBhttps://security.gentoo.org/glsa/201710-01
- WEBhttps://web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249
- WEBhttps://web.archive.org/web/20170915000000*/http://www.securityfocus.com/bid/100576#:~:text=1%20snapshot-,11%3A49%3A33,-Note
- WEBhttps://www.debian.org/security/2017/dsa-3966