Critical severity9.8NVD Advisory· Published Oct 11, 2017· Updated Jun 17, 2026
CVE-2017-0903
CVE-2017-0903
Description
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rubygems-updateRubyGems | >= 2.0.0, < 2.6.14 | 2.6.14 |
Affected products
110cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*+ 71 more
- cpe:2.3:a:rubygems:rubygems:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:preview2:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.0.rc.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.0.rc.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.0.preiew.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.0.rc.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:rubygems:2.6.9:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- ghsa-coords22 versionspkg:gem/rubygems-updatepkg:rpm/suse/ruby2.1&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ruby2.1&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20OpenStack%20Cloud%207
>= 2.0.0, < 2.6.14+ 21 more
- (no CPE)range: >= 2.0.0, < 2.6.14
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
Patches
Vulnerability mechanics
References
18- github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49nvdPatchThird Party AdvisoryWEB
- blog.rubygems.org/2017/10/09/2.6.14-released.htmlnvdVendor AdvisoryWEB
- blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.htmlnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/101275nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:3485nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0378nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0583nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0585nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-mqwr-4qf2-2hcvghsaADVISORY
- hackerone.com/reports/274990nvdThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-0903ghsaADVISORY
- usn.ubuntu.com/3553-1/nvdThird Party Advisory
- usn.ubuntu.com/3685-1/nvdThird Party Advisory
- www.debian.org/security/2017/dsa-4031nvdThird Party AdvisoryWEB
- usn.ubuntu.com/3553-1ghsaWEB
- usn.ubuntu.com/3685-1ghsaWEB
- web.archive.org/web/20200227143351/http://www.securityfocus.com/bid/101275ghsaWEB
News mentions
0No linked articles in our index yet.