Directory Traversal Affecting ruby2.5-devel-extra package, versions <2.5.5-4.3.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES150-RUBY25DEVELEXTRA-2743078
- published 14 Apr 2022
- disclosed 10 Jul 2019
Introduced: 10 Jul 2019
CVE-2018-1000079 Open this link in a new tabHow to fix?
Upgrade SLES:15.0 ruby2.5-devel-extra to version 2.5.5-4.3.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ruby2.5-devel-extra package and not the ruby2.5-devel-extra package as distributed by SLES.
See How to fix? for SLES:15.0 relevant fixed versions and status.
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
References
- https://www.suse.com/security/cve/CVE-2018-1000079.html
- https://bugzilla.suse.com/1082058
- https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
- https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- https://usn.ubuntu.com/3621-1/
- https://www.debian.org/security/2018/dsa-4219
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://www.debian.org/security/2018/dsa-4259
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3729
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2020:0591
- https://access.redhat.com/errata/RHSA-2020:0663