CVE-2018-1000201 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-1000201 - High Severity Vulnerability

Vulnerable Library - ffi-1.9.10.gem

Ruby FFI library

path: /var/lib/gems/2.3.0/cache/ffi-1.9.10.gem

Library home page: https://rubygems.org/downloads/ffi-1.9.10.gem

Dependency Hierarchy:

• jekyll-3.0.1.gem (Root Library)
  • jekyll-watch-1.3.0.gem
    • listen-3.0.5.gem
      • rb-inotify-0.9.5.gem
        • ❌ ffi-1.9.10.gem (Vulnerable Library)

Vulnerability Details

ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.

Publish Date: 2018-06-22

URL: CVE-2018-1000201

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: ffi/ffi@09e0c60

Release Date: 2018-06-01

Fix Resolution: Replace or update the following file: library.rb

---

Step up your Open Source Security Game with WhiteSource here