Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Remediation

References

CVE-2017-0903

Related Vulnerabilities

Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-20415)

WordPress Plugin Launcher:Coming Soon & Maintenance Mode Cross-Site Scripting (1.0.10)

WordPress Plugin Accept Stripe Donation-AidWP Cross-Site Request Forgery (3.1.5)

GlassFish CVE-2016-3607 Vulnerability (CVE-2016-3607)

phpMyFAQ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-3608)

Severity

Critical

Classification

CVE-2017-0903 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities