CVE-2018-1000078
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000078
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000078.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-1000078
- Aliases
- Related
- Published
- 2018-03-13T15:29:00Z
- Modified
- 2024-09-11T04:21:47.395158Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.
- References
-
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2020:0591
- https://access.redhat.com/errata/RHSA-2020:0663
- https://www.debian.org/security/2018/dsa-4219
- https://www.debian.org/security/2018/dsa-4259
- https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
- https://usn.ubuntu.com/3621-1/
- https://security-tracker.debian.org/tracker/CVE-2018-1000078
Affected packages
Debian:12 / jruby
Package
- Name
- jruby
- Purl
- pkg:deb/debian/jruby?arch=source
Debian:13 / jruby
Package
- Name
- jruby
- Purl
- pkg:deb/debian/jruby?arch=source
Debian:11 / rubygems
Package
- Name
- rubygems
- Purl
- pkg:deb/debian/rubygems?arch=source
Debian:12 / rubygems
Package
- Name
- rubygems
- Purl
- pkg:deb/debian/rubygems?arch=source
Debian:13 / rubygems
Package
- Name
- rubygems
- Purl
- pkg:deb/debian/rubygems?arch=source
Git / github.com/rubygems/rubygems
Affected ranges
- Type
- GIT
- Repo
- https://github.com/rubygems/rubygems
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v2.*
v2.0.0
v2.0.0.preview2
v2.0.0.preview2.1
v2.0.0.preview2.2
v2.0.0.rc.1
v2.0.0.rc.2
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.0.rc.1
v2.1.0.rc.2
v2.1.1
v2.1.2
v2.1.3
v2.2.0.preview.1
v2.2.0.rc.1
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.6.14
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5