CVE-2018-1000078
- Source
- https://cve.org/CVERecord?id=CVE-2018-1000078
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000078.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-1000078
- Aliases
- Downstream
- Related
- Published
- 2018-03-13T15:29:00.723Z
- Modified
- 2026-05-13T12:01:33.208424394Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.
- Database specific
{ "unresolved_ranges": [ { "source": "CPE_FIELD", "cpe": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "extracted_events": [ { "last_affected": "7.0" } ] } ] }- References
-
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
- https://usn.ubuntu.com/3621-1/
- http://blog.rubygems.org/2018/02/15/2.7.6-released.html
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2020:0542
- https://access.redhat.com/errata/RHSA-2020:0591
- https://access.redhat.com/errata/RHSA-2020:0663
- https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
- https://www.debian.org/security/2018/dsa-4219
- https://www.debian.org/security/2018/dsa-4259
- https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb
Affected packages
Git / github.com/ruby/rubygems
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ruby/rubygems
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affectedLast affected
- Database specific
{ "source": "CPE_FIELD", "cpe": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "extracted_events": [ { "introduced": "0" }, { "last_affected": "2.2.9" }, { "last_affected": "2.3.6" }, { "last_affected": "2.4.3" }, { "last_affected": "2.5.0" } ] }
Affected versions
bundler-v2.*
bundler-v2.2.0
bundler-v2.2.0.rc.1
bundler-v2.2.0.rc.2
bundler-v2.2.1
bundler-v2.2.2
bundler-v2.2.3
bundler-v2.2.4
bundler-v2.2.5
bundler-v2.2.6
bundler-v2.2.7
bundler-v2.2.8
bundler-v2.2.9
bundler-v2.3.0
bundler-v2.3.1
bundler-v2.3.2
bundler-v2.3.3
bundler-v2.3.4
bundler-v2.3.5
bundler-v2.3.6
v1.*
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v2.*
v2.0.0
v2.0.0.preview2
v2.0.0.preview2.1
v2.0.0.preview2.2
v2.0.0.rc.1
v2.0.0.rc.2
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.0.rc.1
v2.1.0.rc.2
v2.1.1
v2.1.2
v2.1.3
v2.2.0.preview.1
v2.2.0.rc.1
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v3.*
v3.0.0
v3.0.0.beta1
v3.0.0.beta3
v3.1.0.pre1
v3.2.0
v3.2.0.rc.1
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6