CVE-2018-1000076
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000076
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000076.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-1000076
- Aliases
- Related
- Published
- 2018-03-13T15:29:00Z
- Modified
- 2024-09-11T04:21:46.908745Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
- References
-
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2020:0591
- https://access.redhat.com/errata/RHSA-2020:0663
- https://www.debian.org/security/2018/dsa-4219
- https://www.debian.org/security/2018/dsa-4259
- https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
- https://usn.ubuntu.com/3621-1/
- https://security-tracker.debian.org/tracker/CVE-2018-1000076
Affected packages
Debian:12 / jruby
Package
- Name
- jruby
- Purl
- pkg:deb/debian/jruby?arch=source
Debian:13 / jruby
Package
- Name
- jruby
- Purl
- pkg:deb/debian/jruby?arch=source
Debian:11 / rubygems
Package
- Name
- rubygems
- Purl
- pkg:deb/debian/rubygems?arch=source
Debian:12 / rubygems
Package
- Name
- rubygems
- Purl
- pkg:deb/debian/rubygems?arch=source
Debian:13 / rubygems
Package
- Name
- rubygems
- Purl
- pkg:deb/debian/rubygems?arch=source
Git / github.com/rubygems/rubygems
Affected ranges
- Type
- GIT
- Repo
- https://github.com/rubygems/rubygems
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v2.*
v2.0.0
v2.0.0.preview2
v2.0.0.preview2.1
v2.0.0.preview2.2
v2.0.0.rc.1
v2.0.0.rc.2
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.0.rc.1
v2.1.0.rc.2
v2.1.1
v2.1.2
v2.1.3
v2.2.0.preview.1
v2.2.0.rc.1
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.6.14
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5