rubygems-update 1.8.20

16 security vulnerabilities found in version 1.8.20

RubyGems ANSI escape sequence vulnerability

critical severity CVE-2017-0899
critical severity CVE-2017-0899
Patched versions: >= 2.4.5.3, >= 2.5.2.1, >= 2.6.13

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

RubyGems Infinite Loop vulnerability

high severity CVE-2018-1000075
high severity CVE-2018-1000075
Patched versions: >= 2.7.6

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.

RubyGems Deserialization of Untrusted Data vulnerability

high severity CVE-2018-1000074
high severity CVE-2018-1000074
Patched versions: >= 2.7.6

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack requires the victim to run the gem owner command on a gem with a specially crafted YAML file. This vulnerability is fixed in 2.7.6.

RubyGems Link Following vulnerability

high severity CVE-2018-1000073
high severity CVE-2018-1000073
Patched versions: >= 2.7.6

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.

RubyGems DNS request hijacking vulnerability

high severity CVE-2017-0902
high severity CVE-2017-0902
Patched versions: >= 2.4.5.3, >= 2.5.2.1, >= 2.6.13

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to down load and install gems from a server that the attacker controls.

RubyGems vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files

high severity CVE-2017-0901
high severity CVE-2017-0901
Patched versions: >= 2.4.5.3, >= 2.5.2.1, >= 2.6.13

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

RubyGems DoS vulnerability in the query command

high severity CVE-2017-0900
high severity CVE-2017-0900
Patched versions: >= 2.4.5.3, >= 2.5.2.1, >= 2.6.13

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a query command.

RubyGems Path Traversal vulnerability

medium severity CVE-2018-1000079
medium severity CVE-2018-1000079
Patched versions: >= 2.7.6

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.

RubyGems Cross-site Scripting vulnerability

medium severity CVE-2018-1000078
medium severity CVE-2018-1000078
Patched versions: >= 2.7.6

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack requires the victim to browse to a malicious gem on a vulnerable gem server. This vulnerability is fixed in 2.7.6.

RubyGems Improper Input Validation vulnerability

medium severity CVE-2018-1000077
medium severity CVE-2018-1000077
Patched versions: >= 2.7.6

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem setting an invalid homepage URL. This vulnerability is fixed in 2.7.6.

RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking

medium severity CVE-2015-4020
medium severity CVE-2015-4020
Patched versions: ~> 2.0.17, ~> 2.2.5, >= 2.4.8

RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb that is triggered when handling hostnames in SRV records. With a specially crafted response, a context-dependent attacker may conduct DNS hijacking attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900, which allowed redirection to an arbitrary gem server in any security domain.

CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()

medium severity CVE-2015-3900
medium severity CVE-2015-3900
Patched versions: ~> 2.0.16, ~> 2.2.4, >= 2.4.7

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.

CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix

medium severity CVE-2013-4363
medium severity CVE-2013-4363
Patched versions: ~> 1.8.23.2, ~> 1.8.27, ~> 2.0.10, >= 2.1.5

'Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.'

CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability

medium severity CVE-2013-4287
medium severity CVE-2013-4287
Patched versions: ~> 1.8.23.1, ~> 1.8.26, ~> 2.0.8, >= 2.1.0

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.

CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23

medium severity CVE-2012-2126
medium severity CVE-2012-2126
Patched versions: >= 1.8.23

RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack.

CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23

medium severity CVE-2012-2125
medium severity CVE-2012-2125
Patched versions: >= 1.8.23

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a Ruby license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.