CVE-2018-1000073
- Source
- https://cve.org/CVERecord?id=CVE-2018-1000073
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000073.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-1000073
- Aliases
- Downstream
- Related
- Published
- 2018-03-13T15:29:00.427Z
- Modified
- 2026-03-20T11:22:06.983209Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
- References
-
- https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
- https://usn.ubuntu.com/3621-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://www.debian.org/security/2018/dsa-4259
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2020:0591
- https://www.debian.org/security/2018/dsa-4219
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2020:0663
- https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
Affected packages
Git / github.com/ruby/rubygems
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ruby/rubygems
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/rubygems/rubygems
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "2.2.9" }, { "introduced": "0" }, { "last_affected": "2.3.6" }, { "introduced": "0" }, { "last_affected": "2.4.3" }, { "introduced": "0" }, { "last_affected": "2.5.0" } ] }
Affected versions
bundler-v2.*
bundler-v2.2.0
bundler-v2.2.0.rc.1
bundler-v2.2.0.rc.2
bundler-v2.2.1
bundler-v2.2.2
bundler-v2.2.3
bundler-v2.2.4
bundler-v2.2.5
bundler-v2.2.6
bundler-v2.2.7
bundler-v2.2.8
bundler-v2.2.9
bundler-v2.3.0
bundler-v2.3.1
bundler-v2.3.2
bundler-v2.3.3
bundler-v2.3.4
bundler-v2.3.5
bundler-v2.3.6
v1.*
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v2.*
v2.0.0
v2.0.0.preview2
v2.0.0.preview2.1
v2.0.0.preview2.2
v2.0.0.rc.1
v2.0.0.rc.2
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.0.rc.1
v2.1.0.rc.2
v2.1.1
v2.1.2
v2.1.3
v2.2.0.preview.1
v2.2.0.rc.1
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.6.14
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.1
v2.7.10
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v3.*
v3.0.0
v3.0.0.beta1
v3.0.0.beta3
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0.pre1
v3.2.0
v3.2.0.rc.1
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6