What is the vulnerability ID for this RubyGems vulnerability?

The vulnerability ID for this RubyGems vulnerability is CVE-2018-1000076.

What is the severity of CVE-2018-1000076?

The severity of CVE-2018-1000076 is medium.

Which versions of RubyGems are affected by CVE-2018-1000076?

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 are affected by CVE-2018-1000076.

How do I fix CVE-2018-1000076?

To fix CVE-2018-1000076, update RubyGems to version 2.7.6 or later.

Where can I find more information about CVE-2018-1000076?

You can find more information about CVE-2018-1000076 in the following references: http://blog.rubygems.org/2018/02/15/2.7.6-released.html, https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693, https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html

Vulnerability/
CVE-2018-1000076

critical

9.8

CWE

347

21/2/2018

13/3/2018

5/8/2024

CVE-2018-1000076

First published: Wed Feb 21 2018(Updated: )

Improper verification of signatures in tarball allows to install mis-signed gem when tarball contain multiple gem signatures. Upstream fix: <a href="https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693">https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693</a> External References: <a href="https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/">https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/</a>

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Rubygems Rubygems	<=2.2.9
Rubygems Rubygems	<=2.3.6
Rubygems Rubygems	<=2.4.3
Rubygems Rubygems	<=2.5.0
Debian Debian Linux	=7.0
redhat/rubygems	<2.7.6	2.7.6
debian/jruby		9.3.9.0+ds-8 9.4.8.0+ds-1
debian/rubygems		3.2.5-2 3.3.15-2 3.4.20-1

Remedy

https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this RubyGems vulnerability?
The vulnerability ID for this RubyGems vulnerability is CVE-2018-1000076.
What is the severity of CVE-2018-1000076?
The severity of CVE-2018-1000076 is medium.
Which versions of RubyGems are affected by CVE-2018-1000076?
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 are affected by CVE-2018-1000076.
How do I fix CVE-2018-1000076?
To fix CVE-2018-1000076, update RubyGems to version 2.7.6 or later.
Where can I find more information about CVE-2018-1000076?
You can find more information about CVE-2018-1000076 in the following references: http://blog.rubygems.org/2018/02/15/2.7.6-released.html, https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693, https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html

collector/nvd-index
agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/author
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2018-1000076
agent/remedy
agent/weakness
agent/description
agent/severity
agent/references
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/tags
agent/event
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
vendor/rubygems
canonical/rubygems rubygems
version/rubygems rubygems/2.2.9
version/rubygems rubygems/2.3.6
version/rubygems rubygems/2.4.3
version/rubygems rubygems/2.5.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/7.0
package-manager/redhat
package-manager/debian