Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Remediation

References

CVE-2017-0903

Related Vulnerabilities

Oracle HTTP Server CVE-2020-2545 Vulnerability (CVE-2020-2545)

WordPress Plugin Article Directory Redux Cross-Site Scripting (1.0.2)

WordPress Plugin Advanced XML Reader XML External Entity Information Disclosure (0.3.4)

Apache HTTP Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2003-1581)

Atlassian Jira Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-14996)

Severity

Critical

Classification

CVE-2017-0903 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities