High severity8.8NVD Advisory· Published Sep 25, 2017· Updated May 13, 2026

CVE-2017-14683

Description

geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated by an unintended gem upload.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
geminaboxRubyGems	< 0.13.7	0.13.7

Affected products

Geminabox Project/Geminabox
cpe:2.3:a:geminabox_project:geminabox:*:*:*:*:*:ruby:*:*
Range: <=0.13.6

Patches

a01c4e8b3403

Fix CSRF vulnerability

https://github.com/geminabox/geminaboxsonotsSep 20, 2017via ghsa

commit

2 files changed · +3 −0

lib/geminabox.rb+1 −0 modified

@@ -9,6 +9,7 @@
 require 'tempfile'
 require 'json'
 require 'tilt/erb'
+require 'rack/protection'
 
 module Geminabox

lib/geminabox/server.rb+2 −0 modified

@@ -2,6 +2,8 @@ module Geminabox
 
   class Server < Sinatra::Base
     enable :static, :methodoverride
+    use Rack::Session::Pool, :expire_after => 2592000
+    use Rack::Protection
 
     def self.delegate_to_geminabox(*delegate_methods)
       delegate_methods.each{|m| set m, Geminabox.send(m)}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/geminabox/geminabox/blob/master/CHANGELOG.mdnvdIssue TrackingPatchRelease NotesThird Party AdvisoryWEB
baraktawily.blogspot.co.il/2017/09/gem-in-box-xss-vulenrability-cve-2017.htmlnvdExploitThird Party AdvisoryWEB
github.com/advisories/GHSA-qwv2-2x8g-g43gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-14683ghsaADVISORY
github.com/geminabox/geminabox/commit/a01c4e8b3403624109499dec75eb6ee30bd01a55ghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/geminabox/CVE-2017-14683.ymlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000