High severity7.5NVD Advisory· Published Aug 31, 2017· Updated May 13, 2026
CVE-2017-0901
CVE-2017-0901
Description
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rubygems-updateRubyGems | < 2.6.13 | 2.6.13 |
Affected products
1Patches
1ad5c0a53a86cValidate specification names when installing
2 files changed · +27 −0
lib/rubygems/installer.rb+7 −0 modified@@ -697,6 +697,11 @@ def verify_gem_home(unpack = false) # :nodoc: unpack or File.writable?(gem_home) end + def verify_spec_name + return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN + raise Gem::InstallError, "#{spec} has an invalid name" + end + ## # Return the text for an application file. @@ -823,6 +828,8 @@ def pre_install_checks ensure_loadable_spec + verify_spec_name + if options[:install_as_default] Gem.ensure_default_gem_subdirectories gem_home else
test/rubygems/test_gem_installer.rb+20 −0 modified@@ -1448,6 +1448,26 @@ def test_pre_install_checks_wrong_rubygems_version end end + def test_pre_install_checks_malicious_name + spec = util_spec '../malicious', '1' + def spec.full_name # so the spec is buildable + "malicious-1" + end + def spec.validate; end + + util_build_gem spec + + gem = File.join(@gemhome, 'cache', spec.file_name) + + use_ui @ui do + @installer = Gem::Installer.at gem + e = assert_raises Gem::InstallError do + @installer.pre_install_checks + end + assert_equal '#<Gem::Specification name=../malicious version=1> has an invalid name', e.message + end + end + def test_shebang util_make_exec @spec, "#!/usr/bin/ruby"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- blog.rubygems.org/2017/08/27/2.6.13-released.htmlnvdPatchVendor AdvisoryWEB
- github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2nvdPatchThird Party AdvisoryWEB
- hackerone.com/reports/243156nvdExploitPatchThird Party AdvisoryWEB
- www.exploit-db.com/exploits/42611/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/100580nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039249nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:3485nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0378nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0583nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0585nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-pm9x-4392-2c2pghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-0901ghsaADVISORY
- security.gentoo.org/glsa/201710-01nvdThird Party AdvisoryWEB
- usn.ubuntu.com/3553-1/nvdThird Party Advisory
- usn.ubuntu.com/3685-1/nvdThird Party Advisory
- www.debian.org/security/2017/dsa-3966nvdThird Party AdvisoryWEB
- usn.ubuntu.com/3553-1ghsaWEB
- usn.ubuntu.com/3685-1ghsaWEB
- web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249ghsaWEB
- web.archive.org/web/20170915000000*/http://www.securityfocus.com/bid/100580ghsaWEB
- www.exploit-db.com/exploits/42611ghsaWEB
News mentions
0No linked articles in our index yet.