- Description
- The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 2.0
- Type
- Primary
- Base score
- 9.3
- Impact score
- 10
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:C/I:C/A:C
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyforge:rubygems:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CD242F0E-FA2C-4702-9482-0FA738C92F0D",
"versionEndIncluding": "0.9.0"
},
{
"criteria": "cpe:2.3:a:rubyforge:rubygems:0.8.11:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F8533BB9-84D9-4941-A569-E3103BD14114"
}
],
"operator": "OR"
}
]
}
]