Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2017-0902

Origin Validation Error

Published: Aug 31, 2017 | Modified: Oct 09, 2019
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2017-0902
CWEhttps://cwe.mitre.org/data/definitions/346.html

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

Weakness

The product does not properly verify that the source of data or communication is valid.

Affected Software

Name Vendor Start Version End Version
Rubygems Rubygems * 2.6.12 (including)
Red Hat Enterprise Linux 7 RedHat ruby-0:2.0.0.648-33.el7_4 *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat rh-ruby24-ruby-0:2.4.2-86.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat rh-ruby22-ruby-0:2.2.9-19.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat rh-ruby23-ruby-0:2.3.6-67.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS RedHat rh-ruby24-ruby-0:2.4.2-86.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS RedHat rh-ruby22-ruby-0:2.2.9-19.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS RedHat rh-ruby23-ruby-0:2.3.6-67.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-ruby24-ruby-0:2.4.2-86.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-ruby22-ruby-0:2.2.9-19.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-ruby23-ruby-0:2.3.6-67.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS RedHat rh-ruby24-ruby-0:2.4.2-86.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS RedHat rh-ruby22-ruby-0:2.2.9-19.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS RedHat rh-ruby23-ruby-0:2.3.6-67.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat rh-ruby24-ruby-0:2.4.2-86.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat rh-ruby22-ruby-0:2.2.9-19.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat rh-ruby23-ruby-0:2.3.6-67.el7 *
Jruby Ubuntu artful *
Jruby Ubuntu bionic *
Jruby Ubuntu cosmic *
Jruby Ubuntu disco *
Jruby Ubuntu eoan *
Jruby Ubuntu esm-apps/bionic *
Jruby Ubuntu esm-apps/focal *
Jruby Ubuntu esm-apps/xenial *
Jruby Ubuntu focal *
Jruby Ubuntu groovy *
Jruby Ubuntu hirsute *
Jruby Ubuntu impish *
Jruby Ubuntu lunar *
Jruby Ubuntu mantic *
Jruby Ubuntu trusty *
Jruby Ubuntu trusty/esm *
Jruby Ubuntu xenial *
Jruby Ubuntu zesty *
Ruby2.0 Ubuntu trusty *
Ruby2.3 Ubuntu artful *
Ruby2.3 Ubuntu xenial *
Ruby2.3 Ubuntu zesty *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use