---
gem: rubygems-update
library: rubygems
cve: 2017-0903
url: https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
title: Unsafe Object Deserialization Vulnerability in RubyGems
date: 2017-10-09
description: |
  There is a possible unsafe object deserialization vulnerability in RubyGems.
  It is possible for YAML deserialization of gem specifications to bypass class
  white lists. Specially crafted serialized objects can possibly be used to
  escalate to remote code execution.
cvss_v2: 7.5
unaffected_versions:
  - "< 2.0.0"
patched_versions:
  - ">= 2.6.14"