RubyGems gem Installation Directory Traversal Vulnerability [CVE-2018-1000079]

CVE Number – CVE-2018-1000079 –  A vulnerability in RubyGems could allow an unauthenticated, remote attacker to modify file locations on a targeted system.

The vulnerability is due to the improper handling of pathnames when the affected software installs new components. An attacker could exploit this vulnerability by persuading a user to install a malicious RubyGems gem on a targeted system. A successful exploit could allow the attacker to use directory traversal techniques to write to arbitrary file locations on the targeted system.

The vendor has confirmed the vulnerability in a security advisory and released software updates.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to open or execute a malicious file.
Vendor Announcements
Fixed Software
  • The vendor has released software updates at the following link: RubyGems 2.7.6





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.