CVE-2017-0903

Public on 2017-10-02
Modified on 2018-03-23
Description
A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.
Severity
Medium
CVSS v3 Base Score
5.6
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 ruby22 2018-03-21 22:27 ALAS-2018-978
Amazon Linux 1 ruby22 2017-10-02 17:01 ALAS-2017-906
Amazon Linux 1 ruby24 2018-03-21 22:27 ALAS-2018-978
Amazon Linux 1 ruby24 2017-10-26 17:01 ALAS-2017-915
Amazon Linux 1 ruby23 2018-03-21 22:27 ALAS-2018-978
Amazon Linux 1 ruby23 2017-10-02 17:01 ALAS-2017-906
Amazon Linux 1 ruby22 2018-03-21 22:27 ALAS-2018-978
Amazon Linux 1 ruby22 2017-10-02 17:01 ALAS-2017-906
Amazon Linux 1 ruby23 2018-03-21 22:27 ALAS-2018-978
Amazon Linux 1 ruby23 2017-10-02 17:01 ALAS-2017-906
Amazon Linux 1 ruby24 2018-03-21 22:27 ALAS-2018-978
Amazon Linux 1 ruby24 2017-10-26 17:01 ALAS-2017-915

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
NVD CVSSv2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
NVD CVSSv3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H