{"id":"CVE-2017-0903","details":"RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.","aliases":["GHSA-mqwr-4qf2-2hcv"],"modified":"2026-04-16T01:42:06.138853938Z","published":"2017-10-11T18:29:00.583Z","related":["SUSE-SU-2020:1570-1"],"references":[{"type":"ADVISORY","url":"http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/101275"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0378"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0583"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3553-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-4031"},{"type":"ADVISORY","url":"http://blog.rubygems.org/2017/10/09/2.6.14-released.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3485"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0585"},{"type":"ADVISORY","url":"https://hackerone.com/reports/274990"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3685-1/"},{"type":"FIX","url":"https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/rubygems","events":[{"introduced":"0"},{"fixed":"510b1638ac9bba3ceb7a5d73135dafff9e5bab49"}]},{"type":"GIT","repo":"https://github.com/rubygems/rubygems","events":[{"introduced":"0"},{"last_affected":"8241846143b57f72c75ecc50d113dd41c8c6a226"},{"introduced":"0"},{"last_affected":"384a8802a89edae38a39d4037bb5d37508b3d32f"},{"introduced":"0"},{"last_affected":"082a84a037a04471b831e8d8c8ba5d889227bb94"},{"introduced":"0"},{"last_affected":"abb9334ed649b34b5450e79dcf2695dcc60f0de7"},{"introduced":"0"},{"last_affected":"af4ffa745915b35cc8a56b8eb5504a1d2c3cbe27"},{"introduced":"0"},{"last_affected":"f67a0e929e0a8a625ddb7f598caa04a2bd6dcf02"},{"introduced":"0"},{"last_affected":"0c8612453cd3a442b13c27805f21604b6ac04f7a"},{"introduced":"0"},{"last_affected":"039269657cd5d6fd6dfaeaa108502c7fbd262d6f"},{"introduced":"0"},{"last_affected":"c97e75c4bedaf96376a95fe71fb3ac44ed40c18b"},{"introduced":"0"},{"last_affected":"bd4e3ac9a8b4d9d65028040a51f0cf72286f5c82"},{"introduced":"0"},{"last_affected":"35021ab7e10662351c2de954bc97ff724dcff317"},{"introduced":"0"},{"last_affected":"09985b5e4925e12b1378609b4d55c6d194177266"},{"introduced":"0"},{"last_affected":"eb4881926cbc72044dbba06f062202e7373330c1"},{"introduced":"0"},{"last_affected":"59c38c6f0548c2a5d7a013f82ae88b2235ed3c06"},{"introduced":"0"},{"last_affected":"f8a132f6f4de8fb2d495dadab750cfafc427d86e"},{"introduced":"0"},{"last_affected":"184c0513a74524f872f038c00f4e313c6198def9"},{"introduced":"0"},{"last_affected":"0de4e88a19cda7d13116e0d6204ab714a7f63acc"},{"introduced":"0"},{"last_affected":"87e05e13bcef810e2bafef7951d577b539ce2a02"},{"introduced":"0"},{"last_affected":"705c8e34a93d24f91ec36fe0e4727471d82ea05a"},{"introduced":"0"},{"last_affected":"1def9ba6f6b462a3225eb517793e7a4dfbae4335"},{"introduced":"0"},{"last_affected":"bc4078afc8c373b93c45953c4158daf10d77107d"},{"introduced":"0"},{"last_affected":"bbe01e339da3e42313091effc0afb21b9a81917e"},{"introduced":"0"},{"last_affected":"3e243d1ebcd19c1a07edefb42d322ef8710eed60"},{"introduced":"0"},{"last_affected":"954d7c2cc26c843f2d295df3d371db5d0cb347f7"},{"introduced":"0"},{"last_affected":"8993b5f4b5da7305148ca123a96ff941e08f932f"},{"introduced":"0"},{"last_affected":"daf17d7f33977c4399229685ebf232703592c90c"},{"introduced":"0"},{"last_affected":"ea1c2967b9b75128bcdb9a4fe6ba2c9e7f19c9c4"},{"introduced":"0"},{"last_affected":"a726271c78e828976ab60cf89b0a9e7738da711c"},{"introduced":"0"},{"last_affected":"4fdeaa3e548a37d6e3bc3b6bc0fd27714497e2c7"},{"introduced":"0"},{"last_affected":"83101206f2709f12c6b9842abb14dcf94b92676d"},{"introduced":"0"},{"last_affected":"3762ffc0bc1e767a6705750f791ee211af831b13"},{"introduced":"0"},{"last_affected":"5e58957f6044e9becf7ae072a7f890034ba991df"},{"introduced":"0"},{"last_affected":"a72c7bd5280a26dcee5fefcc30a86a784de8223b"},{"introduced":"0"},{"last_affected":"5d7add54e042de7c846ae783786b32c0a456563d"},{"introduced":"0"},{"last_affected":"b01eb35e046bcd9f65a8df84594afd3be50adafa"},{"introduced":"0"},{"last_affected":"19527090d4b02403c00a616b64ea715e0ae10988"},{"introduced":"0"},{"last_affected":"a333cdba7ab06116895671ced29d4c3c34abde25"},{"introduced":"0"},{"last_affected":"21e409decfc3d4a1629913fa579528094d465d95"},{"introduced":"0"},{"last_affected":"ea4460aba0d3ab943d2cdf6203f9cf57240419ca"},{"introduced":"0"},{"last_affected":"0c4783ca90aff35206ff8d04f64d3016f5c1fe58"},{"introduced":"0"},{"last_affected":"db7a53fbcb0b5994d22f31d952b7ff4e08df7acc"},{"introduced":"0"},{"last_affected":"ccfafdc2c52c5c605ff69ed3a772d83eb19ef55a"},{"introduced":"0"},{"last_affected":"eede098838b14985191c152f7ba46f9e82b0fd14"},{"introduced":"0"},{"last_affected":"0987ef8f9da5571cc6c49ccead87c661bbba79eb"},{"introduced":"0"},{"last_affected":"77ede3cf52c15faf08509a518c6f7dee72793f1c"},{"introduced":"0"},{"last_affected":"abf89e04954b8a2ddfb6948d0860111990a6efa2"},{"introduced":"0"},{"last_affected":"744e413f556ead46aabc659408a99a4c318b6549"},{"introduced":"0"},{"last_affected":"dd7ca9b2c321f79dee041e85db07f9b0ac7f4e67"},{"introduced":"0"},{"last_affected":"be819945ba1c788a5b589a9d5daa86e9dcaaba3f"},{"introduced":"0"},{"last_affected":"8776f0aa03cd1088397ad98e4c74d7dbb5221457"},{"introduced":"0"},{"last_affected":"83c6fa8cad15d91fa9665a40d16dede27b64328b"},{"introduced":"0"},{"last_affected":"516b30370dfaf4508318ca44fe7a8f8faf473eeb"},{"introduced":"0"},{"last_affected":"b6f3b5fac7ec01e5dcc57d6768a7e9b456feaea8"},{"introduced":"0"},{"last_affected":"182223ed08c2d39892989aecacef5de43c89deba"},{"introduced":"0"},{"last_affected":"a8aa3bac723f045c52471c7b9328310a048561e0"},{"introduced":"0"},{"last_affected":"4bfc34cb00f3be715d811bf9106e01a4893fbf92"},{"introduced":"0"},{"last_affected":"63951263617d621ef368a11b1db61b6ed4dea1c7"},{"introduced":"0"},{"last_affected":"f754a1a5ed187f410538c103351c9ca0a7d3469b"},{"introduced":"0"},{"last_affected":"d32a94848f50d6be448d862e43f074b820a1d3b6"},{"introduced":"0"},{"last_affected":"9c1101160d1b7394a4acc96f0e183334d7346dfe"},{"introduced":"0"},{"last_affected":"656f5d94dc888d78d0d00f3598a4fa37391aac80"},{"introduced":"0"},{"last_affected":"ccb9c3300c063f5b5656669972d24a10ef8afbf5"},{"introduced":"0"},{"last_affected":"60f35bd1d2359fc30301d2d4cd72bc6833e8d12a"},{"introduced":"0"},{"last_affected":"9fb8880976f5ab998912898b091d88aa10eb1d4a"},{"introduced":"0"},{"last_affected":"2ee5bf9fd3bd7649d3e244bc40107ff32070ef47"},{"introduced":"0"},{"last_affected":"be510dd4097e65c6a256a6e173d6b724a3a96472"},{"introduced":"0"},{"last_affected":"adfcf40502716080bd9cdfdd2e43bd4296872784"},{"introduced":"0"},{"last_affected":"009080040279282d7b8ddd09acab41719cb4ba00"},{"introduced":"0"},{"last_affected":"6e77ace5dad07d86a38ac271e6a62658ca751105"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"2.0.0-preview2"},{"introduced":"0"},{"last_affected":"2.0.0-preview2\\.1"},{"introduced":"0"},{"last_affected":"2.0.0-preview2\\.2"},{"introduced":"0"},{"last_affected":"2.0.1"},{"introduced":"0"},{"last_affected":"2.0.2"},{"introduced":"0"},{"last_affected":"2.0.3"},{"introduced":"0"},{"last_affected":"2.0.4"},{"introduced":"0"},{"last_affected":"2.0.5"},{"introduced":"0"},{"last_affected":"2.0.6"},{"introduced":"0"},{"last_affected":"2.0.7"},{"introduced":"0"},{"last_affected":"2.0.8"},{"introduced":"0"},{"last_affected":"2.0.9"},{"introduced":"0"},{"last_affected":"2.0.10"},{"introduced":"0"},{"last_affected":"2.0.11"},{"introduced":"0"},{"last_affected":"2.0.12"},{"introduced":"0"},{"last_affected":"2.0.13"},{"introduced":"0"},{"last_affected":"2.0.14"},{"introduced":"0"},{"last_affected":"2.0.15"},{"introduced":"0"},{"last_affected":"2.0.16"},{"introduced":"0"},{"last_affected":"2.0.17"},{"introduced":"0"},{"last_affected":"2.1.0"},{"introduced":"0"},{"last_affected":"2.1.0.rc.1"},{"introduced":"0"},{"last_affected":"2.1.0.rc.2"},{"introduced":"0"},{"last_affected":"2.1.1"},{"introduced":"0"},{"last_affected":"2.1.2"},{"introduced":"0"},{"last_affected":"2.1.3"},{"introduced":"0"},{"last_affected":"2.1.4"},{"introduced":"0"},{"last_affected":"2.1.5"},{"introduced":"0"},{"last_affected":"2.1.6"},{"introduced":"0"},{"last_affected":"2.1.7"},{"introduced":"0"},{"last_affected":"2.1.8"},{"introduced":"0"},{"last_affected":"2.1.9"},{"introduced":"0"},{"last_affected":"2.1.10"},{"introduced":"0"},{"last_affected":"2.1.11"},{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"2.2.0.rc.1"},{"introduced":"0"},{"last_affected":"2.2.1"},{"introduced":"0"},{"last_affected":"2.2.2"},{"introduced":"0"},{"last_affected":"2.2.3"},{"introduced":"0"},{"last_affected":"2.2.4"},{"introduced":"0"},{"last_affected":"2.2.5"},{"introduced":"0"},{"last_affected":"2.3.0"},{"introduced":"0"},{"last_affected":"2.4.0"},{"introduced":"0"},{"last_affected":"2.4.1"},{"introduced":"0"},{"last_affected":"2.4.2"},{"introduced":"0"},{"last_affected":"2.4.3"},{"introduced":"0"},{"last_affected":"2.4.4"},{"introduced":"0"},{"last_affected":"2.4.5"},{"introduced":"0"},{"last_affected":"2.4.6"},{"introduced":"0"},{"last_affected":"2.4.7"},{"introduced":"0"},{"last_affected":"2.4.8"},{"introduced":"0"},{"last_affected":"2.5.0"},{"introduced":"0"},{"last_affected":"2.5.1"},{"introduced":"0"},{"last_affected":"2.5.2"},{"introduced":"0"},{"last_affected":"2.6.0"},{"introduced":"0"},{"last_affected":"2.6.1"},{"introduced":"0"},{"last_affected":"2.6.2"},{"introduced":"0"},{"last_affected":"2.6.3"},{"introduced":"0"},{"last_affected":"2.6.4"},{"introduced":"0"},{"last_affected":"2.6.5"},{"introduced":"0"},{"last_affected":"2.6.6"},{"introduced":"0"},{"last_affected":"2.6.7"},{"introduced":"0"},{"last_affected":"2.6.8"},{"introduced":"0"},{"last_affected":"2.6.9"},{"introduced":"0"},{"last_affected":"2.6.10"},{"introduced":"0"},{"last_affected":"2.6.11"},{"introduced":"0"},{"last_affected":"2.6.12"},{"introduced":"0"},{"last_affected":"2.6.13"}]}}],"versions":["v1.5.0","v1.5.1","v1.5.2","v1.6.0","v1.6.1","v1.6.2","v1.7.0","v1.7.1","v1.8.0","v1.8.1","v1.8.2","v2.0.0","v2.0.0.preview2","v2.0.0.preview2.1","v2.0.0.preview2.2","v2.0.0.rc.1","v2.0.0.rc.2","v2.0.1","v2.0.10","v2.0.11","v2.0.12","v2.0.13","v2.0.14","v2.0.15","v2.0.16","v2.0.17","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.0.9","v2.1.0","v2.1.0.rc.1","v2.1.0.rc.2","v2.1.1","v2.1.10","v2.1.11","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.0.preview.1","v2.2.0.rc.1","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.3.0","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.5.0","v2.5.1","v2.5.2","v2.6.0","v2.6.1","v2.6.10","v2.6.11","v2.6.12","v2.6.13","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.6.7","v2.6.8","v2.6.9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.0.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0.0-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.2.0.preiew.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"17.10"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-0903.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}