Description
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Statistics SQL Injection (13.1.4)
WordPress Plugin Wholesale Market for WooCommerce Directory Traversal (1.0.8)
Craft CMS Files or Directories Accessible to External Parties Vulnerability (CVE-2024-52292)
WordPress Plugin NAB Transact Security Bypass (2.1.0)
WordPress Plugin Comment Rating SQL Injection and Security Bypass Weakness Vulnerabilities (2.9.32)