10

CVSS Score

Basic Information

CVE ID

CVE-2018-3779

GHSA ID

GHSA-2j55-pcw5-x4h2

EPSS Score

0.9213%

CWE

CWE-77

Published

8/13/2018

Updated

1/18/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-3779

CVE-2018-3779: active-support impersonates 'activesupport' gem

The active-support ruby gem gem is malware and duplicates the official activesupport (no hyphen) gem, but adds a compiled extension. The extension attempts to resolve a base64 encoded domain (29faea63.planfhntage.de), downloads a payload, and executes.

This trojan horse gem could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system. No version of this gem should be considered safe.

(GitHub Advisory)

10

CVSS Score

Basic Information

CVE ID

CVE-2018-3779

GHSA ID

GHSA-2j55-pcw5-x4h2

EPSS Score

0.9213%

CWE

CWE-77

Published

8/13/2018

Updated

1/18/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
active-support	rubygems	> 0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a malicious compiled extension in the 'active-support' gem, not from identifiable Ruby functions. The attack vector involves native code that decodes a base64 domain, downloads payloads, and executes them. Since the advisory provides no source code or disassembly of the compiled extension, and RubyGems' vulnerability reporting doesn't list specific vulnerable functions, we cannot confidently name any Ruby-level functions. The CWE-77 command injection occurs at the native code level, which isn't exposed through standard Ruby function signatures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `**tiv*-support` ru*y **m **m is m*lw*r* *n* *upli**t*s t** o**i*i*l `**tiv*support` (no *yp**n) **m, *ut ***s * *ompil** *xt*nsion. T** *xt*nsion *tt*mpts to r*solv* * **s*** *n*o*** *om*in (********.pl*n**nt***.**), *ownlo**s * p*ylo**, *n* *x*

Reasoning

T** vuln*r**ility st*ms *rom * m*li*ious *ompil** `*xt*nsion` in t** '**tiv*-support' **m, not *rom i**nti*i**l* Ru*y `*un*tions`. T** *tt**k v**tor involv*s n*tiv* *o** t**t ***o**s * **s*** *om*in, *ownlo**s p*ylo**s, *n* *x**ut*s t**m. Sin** t** *

10

Basic Information

Concerned about an active attack path?

CVE-2018-3779: active-support impersonates 'activesupport' gem

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI