Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Remediation

References

CVE-2017-0903

Related Vulnerabilities

MySQL CVE-2018-3056 Vulnerability (CVE-2018-3056)

phpMyAdmin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-4579)

Oracle JRE CVE-2013-5788 Vulnerability (CVE-2013-5788)

Atlassian Jira Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-14169)

SharePoint Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-0920)

Severity

Critical

Classification

CVE-2017-0903 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities