CVE-2017-0902

High

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client…

hackerone·CWE-350·Published 2017-08-31

CVSS

8.1

EPSS

0.05

KEV

Exploits

Vendor statements (8)

cve.orgen

210 chars

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

OSV.deven

210 chars

GHSAen

210 chars

NVDes

232 chars

RubyGems 2.6.12 y anteriores es vulnerable a secuestro de DNS, lo que permite a un atacante Man-in-the-Middle (MitM) forzar el cliente RubyGems a que descargue e instale gemas desde un servidor que está bajo el control del atacante.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
3.0	Primary	NVD	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	8.1	—	—	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H