{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T12:38:35.267","vulnerabilities":[{"cve":{"id":"CVE-2018-1000073","sourceIdentifier":"cve@mitre.org","published":"2018-03-13T15:29:00.427","lastModified":"2024-11-21T03:39:34.590","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6."},{"lang":"es","value":"Las versiones de RubyGems de la serie Ruby 2.2: 2.2.9 y anteriores, de la serie Ruby 2.3: 2.3.6 y anteriores, de la serie Ruby 2.4: 2.4.3 y anteriores, y de la serie Ruby 2.5: 2.5.0 y anteriores, anteriores a la revisión del trunk 62422 contiene una vulnerabilidad de salto de directorio en la función install_location de package.rb que puede resultar en un salto de directorio al escribir en un basedir vinculado simbólicamente fuera del root. La vulnerabilidad parece haber sido solucionada en la versión 2.7.6."}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-59"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*","versionEndIncluding":"2.2.9","matchCriteriaId":"BEE89FF0-0079-4DF5-ACFC-E1B5415E54F4"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*","versionEndIncluding":"2.3.6","matchCriteriaId":"8080FB82-5445-4A17-9ECB-806991906E80"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*","versionEndIncluding":"2.4.3","matchCriteriaId":"CCBC38C5-781E-4998-877D-42265F1DBD05"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*","versionEndIncluding":"2.5.0","matchCriteriaId":"6ACE6376-2E27-4F56-9315-03367963DB09"}]}]}],"references":[{"url":"http://blog.rubygems.org/2018/02/15/2.7.6-released.html","source":"cve@mitre.org","tags":["Vendor Advisory"]},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html","source":"cve@mitre.org"},{"url":"https://access.redhat.com/errata/RHSA-2018:3729","source":"cve@mitre.org"},{"url":"https://access.redhat.com/errata/RHSA-2018:3730","source":"cve@mitre.org"},{"url":"https://access.redhat.com/errata/RHSA-2018:3731","source":"cve@mitre.org"},{"url":"https://access.redhat.com/errata/RHSA-2019:2028","source":"cve@mitre.org"},{"url":"https://access.redhat.com/errata/RHSA-2020:0542","source":"cve@mitre.org"},{"url":"https://access.redhat.com/errata/RHSA-2020:0591","source":"cve@mitre.org"},{"url":"https://access.redhat.com/errata/RHSA-2020:0663","source":"cve@mitre.org"},{"url":"https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2","source":"cve@mitre.org","tags":["Patch","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html","source":"cve@mitre.org"},{"url":"https://usn.ubuntu.com/3621-1/","source":"cve@mitre.org"},{"url":"https://www.debian.org/security/2018/dsa-4219","source":"cve@mitre.org"},{"url":"https://www.debian.org/security/2018/dsa-4259","source":"cve@mitre.org"},{"url":"http://blog.rubygems.org/2018/02/15/2.7.6-released.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://access.redhat.com/errata/RHSA-2018:3729","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://access.redhat.com/errata/RHSA-2018:3730","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://access.redhat.com/errata/RHSA-2018:3731","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://access.redhat.com/errata/RHSA-2019:2028","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://access.redhat.com/errata/RHSA-2020:0542","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://access.redhat.com/errata/RHSA-2020:0591","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://access.redhat.com/errata/RHSA-2020:0663","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://usn.ubuntu.com/3621-1/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://www.debian.org/security/2018/dsa-4219","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://www.debian.org/security/2018/dsa-4259","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}