CVE-2017-0903: Deserialization of Untrusted Data

October 11, 2017 (updated October 9, 2019)

rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

References

blog.rubygems.org/2017/10/09/2.6.14-released.html
blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
www.securityfocus.com/bid/101275
nvd.nist.gov/vuln/detail/CVE-2017-0903

Code Behaviors & Features

Detect and mitigate CVE-2017-0903 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →