High severity7.5NVD Advisory· Published Mar 13, 2018· Updated Jun 17, 2026
CVE-2018-1000073
CVE-2018-1000073
Description
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rubygems-updateRubyGems | < 2.7.6 | 2.7.6 |
org.jruby:jruby-stdlibMaven | < 9.1.16.0 | 9.1.16.0 |
Affected products
29- ghsa-coords29 versionspkg:gem/rubygems-updatepkg:maven/org.jruby/jruby-stdlibpkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ruby-bundled-gems-rpmhelper&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ruby-bundled-gems-rpmhelper&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ruby2.1&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ruby2.1&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20OpenStack%20Cloud%207
< 2.7.6+ 28 more
- (no CPE)range: < 2.7.6
- (no CPE)range: < 9.1.16.0
- (no CPE)range: < 2.5.5-lp151.4.3.1
- (no CPE)range: < 2.5.5-lp151.4.3.1
- (no CPE)range: < 0.0.2-lp151.2.1
- (no CPE)range: < 0.0.2-lp151.2.1
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.5.5-4.3.1
- (no CPE)range: < 2.5.5-4.3.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
Patches
Vulnerability mechanics
References
20- github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2nvdPatchThird Party AdvisoryWEB
- blog.rubygems.org/2018/02/15/2.7.6-released.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-gx69-6cp4-hxrjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000073ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlnvdWEB
- access.redhat.com/errata/RHSA-2018:3729nvdWEB
- access.redhat.com/errata/RHSA-2018:3730nvdWEB
- access.redhat.com/errata/RHSA-2018:3731nvdWEB
- access.redhat.com/errata/RHSA-2019:2028nvdWEB
- access.redhat.com/errata/RHSA-2020:0542nvdWEB
- access.redhat.com/errata/RHSA-2020:0591nvdWEB
- access.redhat.com/errata/RHSA-2020:0663nvdWEB
- bugs.debian.org/cgi-bin/bugreport.cgighsaWEB
- github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2018-1000073.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2018/08/msg00028.htmlnvdWEB
- usn.ubuntu.com/3621-1ghsaWEB
- www.debian.org/security/2018/dsa-4219nvdWEB
- www.debian.org/security/2018/dsa-4259nvdWEB
- usn.ubuntu.com/3621-1/nvd
News mentions
0No linked articles in our index yet.