CVE-2017-0903

critical

Published 2017-10-09 · Modified 2024-02-22

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-0903

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-0903.html

vendor Authored 2026-05-27

Vendor advisory: support@hackerone.com — https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

vendor Authored 2026-05-27

Vendor advisory: support@hackerone.com — http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

vendor Authored 2026-05-27

Vendor advisory: support@hackerone.com — http://blog.rubygems.org/2017/10/09/2.6.14-released.html

OS impact

OS	Version	Status	Fixed in
sles		affected
ubuntu	14.04	affected
ubuntu	16.04	affected
ubuntu	17.10	affected
debian	8.0	affected
debian	9.0	affected
rhel	7.0	affected
debian	bookworm	fixed	`3.2.0~rc.1-1`
debian	bullseye	fixed	`3.2.0~rc.1-1`
debian	forky	fixed	`3.2.0~rc.1-1`
debian	sid	fixed	`3.2.0~rc.1-1`
debian	trixie	fixed	`3.2.0~rc.1-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
RubyGems	rubygems-update	`!< 2.0.0\|\|<>= 2.6.14`	`>= 2.6.14`
RubyGems	rubygems-update	`>=2.0.0,<2.6.14`	`2.6.14`

Application impact

Vendor	Product	Versions
rubygems	rubygems	`2.0.0`
rubygems	rubygems	`2.0.1`
rubygems	rubygems	`2.0.2`
rubygems	rubygems	`2.0.3`
rubygems	rubygems	`2.0.4`
rubygems	rubygems	`2.0.5`
rubygems	rubygems	`2.0.6`
rubygems	rubygems	`2.0.7`
rubygems	rubygems	`2.0.8`
rubygems	rubygems	`2.0.9`
rubygems	rubygems	`2.0.10`
rubygems	rubygems	`2.0.11`
rubygems	rubygems	`2.0.12`
rubygems	rubygems	`2.0.13`
rubygems	rubygems	`2.0.14`
rubygems	rubygems	`2.0.15`
rubygems	rubygems	`2.0.16`
rubygems	rubygems	`2.0.17`
rubygems	rubygems	`2.1.0`
rubygems	rubygems	`2.1.0.rc.1`
rubygems	rubygems	`2.1.0.rc.2`
rubygems	rubygems	`2.1.1`
rubygems	rubygems	`2.1.2`
rubygems	rubygems	`2.1.3`
rubygems	rubygems	`2.1.4`
rubygems	rubygems	`2.1.5`
rubygems	rubygems	`2.1.6`
rubygems	rubygems	`2.1.7`
rubygems	rubygems	`2.1.8`
rubygems	rubygems	`2.1.9`
rubygems	rubygems	`2.1.10`
rubygems	rubygems	`2.1.11`
rubygems	rubygems	`2.2.0`
rubygems	rubygems	`2.2.0.preiew.1`
rubygems	rubygems	`2.2.0.rc.1`
rubygems	rubygems	`2.2.1`
rubygems	rubygems	`2.2.2`
rubygems	rubygems	`2.2.3`
rubygems	rubygems	`2.2.4`
rubygems	rubygems	`2.2.5`
rubygems	rubygems	`2.3.0`
rubygems	rubygems	`2.4.0`
rubygems	rubygems	`2.4.1`
rubygems	rubygems	`2.4.2`
rubygems	rubygems	`2.4.3`
rubygems	rubygems	`2.4.4`
rubygems	rubygems	`2.4.5`
rubygems	rubygems	`2.4.6`
rubygems	rubygems	`2.4.7`
rubygems	rubygems	`2.4.8`
rubygems	rubygems	`2.5.0`
rubygems	rubygems	`2.5.1`
rubygems	rubygems	`2.5.2`
rubygems	rubygems	`2.6.0`
rubygems	rubygems	`2.6.1`
rubygems	rubygems	`2.6.2`
rubygems	rubygems	`2.6.3`
rubygems	rubygems	`2.6.4`
rubygems	rubygems	`2.6.5`
rubygems	rubygems	`2.6.6`
rubygems	rubygems	`2.6.7`
rubygems	rubygems	`2.6.8`
rubygems	rubygems	`2.6.9`
rubygems	rubygems	`2.6.10`
rubygems	rubygems	`2.6.11`
rubygems	rubygems	`2.6.12`
rubygems	rubygems	`2.6.13`

References

CWEs

CWE-502

Verify integrity in audit chain (admin only). AS-IS.