{"api_version":"1","generated_at":"2026-04-23T08:15:23+00:00","cve":"CVE-2018-1000079","urls":{"html":"https://cve.report/CVE-2018-1000079","api":"https://cve.report/api/cve/CVE-2018-1000079.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1000079","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000079"},"summary":{"title":"CVE-2018-1000079","description":"RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-03-13 15:29:00","updated_at":"2018-11-30 11:29:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"http://blog.rubygems.org/2018/02/15/2.7.6-released.html","name":"http://blog.rubygems.org/2018/02/15/2.7.6-released.html","refsource":"MISC","tags":["Vendor Advisory"],"title":"2.7.6 Released - RubyGems Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:3731","name":"RHSA-2018:3731","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2018/dsa-4219","name":"DSA-4219","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4219-1 jruby","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:3729","name":"RHSA-2018:3729","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099","name":"https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Implement a safe mkdir for package that verifies were inside the dest… · rubygems/rubygems@666ef79 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html","name":"[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 1421-1] ruby2.1 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2020:0542","name":"RHSA-2020:0542","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:3730","name":"RHSA-2018:3730","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759","name":"https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Add bug fix for #270068 · rubygems/rubygems@f83f911 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2019:2028","name":"RHSA-2019:2028","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/3621-1/","name":"USN-3621-1","refsource":"UBUNTU","tags":[],"title":"USN-3621-1: Ruby vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2020:0591","name":"RHSA-2020:0591","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2020:0663","name":"RHSA-2020:0663","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html","name":"openSUSE-SU-2019:1771","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1771-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2018/dsa-4259","name":"DSA-4259","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4259-1 ruby2.3","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1000079","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000079","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1000079","vulnerable":"1","versionEndIncluding":"2.2.9","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rubygems","cpe5":"rubygems","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000079","vulnerable":"1","versionEndIncluding":"2.3.6","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rubygems","cpe5":"rubygems","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000079","vulnerable":"1","versionEndIncluding":"2.4.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rubygems","cpe5":"rubygems","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000079","vulnerable":"1","versionEndIncluding":"2.5.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rubygems","cpe5":"rubygems","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-1000079","qid":"377477","title":"Alibaba Cloud Linux Security Update for ruby (ALINUX2-SA-2019:0111)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","DATE_ASSIGNED":"2/18/2018 8:11:09","ID":"CVE-2018-1000079","REQUESTER":"craig.ingram@salesforce.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"DSA-4219","refsource":"DEBIAN","url":"https://www.debian.org/security/2018/dsa-4219"},{"name":"USN-3621-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/3621-1/"},{"name":"RHSA-2018:3729","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:3729"},{"name":"https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099","refsource":"MISC","url":"https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099"},{"name":"RHSA-2018:3730","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:3730"},{"name":"RHSA-2018:3731","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:3731"},{"name":"[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update","refsource":"MLIST","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"},{"name":"DSA-4259","refsource":"DEBIAN","url":"https://www.debian.org/security/2018/dsa-4259"},{"name":"https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759","refsource":"MISC","url":"https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759"},{"name":"http://blog.rubygems.org/2018/02/15/2.7.6-released.html","refsource":"MISC","url":"http://blog.rubygems.org/2018/02/15/2.7.6-released.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1771","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"},{"refsource":"REDHAT","name":"RHSA-2019:2028","url":"https://access.redhat.com/errata/RHSA-2019:2028"},{"refsource":"REDHAT","name":"RHSA-2020:0542","url":"https://access.redhat.com/errata/RHSA-2020:0542"},{"refsource":"REDHAT","name":"RHSA-2020:0591","url":"https://access.redhat.com/errata/RHSA-2020:0591"},{"refsource":"REDHAT","name":"RHSA-2020:0663","url":"https://access.redhat.com/errata/RHSA-2020:0663"}]}},"nvd":{"publishedDate":"2018-03-13 15:29:00","lastModifiedDate":"2018-11-30 11:29:00","problem_types":["CWE-22"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*","versionEndIncluding":"2.2.9","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*","versionEndIncluding":"2.3.6","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*","versionEndIncluding":"2.4.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*","versionEndIncluding":"2.5.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1000079","Ordinal":"123537","Title":"CVE-2018-1000079","CVE":"CVE-2018-1000079","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1000079","Ordinal":"1","NoteData":"RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1000079","Ordinal":"2","NoteData":"2018-03-13","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1000079","Ordinal":"3","NoteData":"2020-03-03","Type":"Other","Title":"Modified"}]}}}