Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

RubyGems Deserialization of Untrusted Data Vulnerability (CVE-2017-0903)

Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Remediation

References

Related Vulnerabilities

Oracle Application Server CVE-2008-3986 Vulnerability (CVE-2008-3986)

WordPress Plugin WP Maps-Display Google Maps Perfectly with Ease Cross-Site Scripting (4.0.4)

WordPress Plugin Easy Custom Sidebars Unspecified Vulnerability (1.0.1)

WordPress Plugin PI Button includes Backdoor [Only if downloaded via the vendor website] (3.3.3)

TYPO3 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2011-3583)

Severity

Critical

Classification

CVE-2017-0903 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities