CVE Number – CVE-2018-1000079 – A vulnerability in RubyGems could allow an unauthenticated, remote attacker to modify file locations on a targeted system.
The vulnerability is due to the improper handling of pathnames when the affected software installs new components. An attacker could exploit this vulnerability by persuading a user to install a malicious RubyGems gem on a targeted system. A successful exploit could allow the attacker to use directory traversal techniques to write to arbitrary file locations on the targeted system.
The vendor has confirmed the vulnerability in a security advisory and released software updates.
To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to open or execute a malicious file.
The vendor has released a security advisory at the following link: RubyGems 2.7.6 Released
The vendor has released software updates at the following link: RubyGems 2.7.6