Login Sign Up

CVE-2017-1000037

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2017-1000037 is a critical vulnerability in RVM (Ruby Version Manager) that allows arbitrary command execution when users change directories. The vulnerability occurs because RVM automatically loads and executes files from the current working directory without proper validation. This affects all RVM users who navigate to directories containing malicious files.

💻 Affected Systems

Products:
  • RVM (Ruby Version Manager)
Versions: All versions prior to 1.29.3
Operating Systems: Linux, macOS, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability is present in default RVM installations and requires no special configuration to be exploitable.

📦 What is this software?

Rvm by Rvm Project

View all CVEs affecting Rvm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges if an attacker can place malicious files in a directory that a privileged user navigates to, leading to complete system takeover.

🟠

Likely Case

Arbitrary command execution as the current user when navigating to directories containing attacker-controlled files, potentially leading to data theft, lateral movement, or persistence.

🟢

If Mitigated

Limited impact with proper user privilege separation and directory access controls, though the vulnerability still exists in the software.

🌐 Internet-Facing: LOW - This vulnerability requires local directory access or social engineering to place malicious files, not directly exploitable over the network.
🏢 Internal Only: HIGH - Significant risk in multi-user environments where attackers can place files in shared directories that other users might navigate to.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the attacker to place malicious files in a directory that the victim navigates to. Public proof-of-concept demonstrates trivial exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.29.3 and later

Vendor Advisory: https://github.com/rvm/rvm/releases/tag/1.29.3

Restart Required: No

Instructions:

1. Update RVM using: rvm get stable 2. Verify installation with: rvm --version 3. Ensure version is 1.29.3 or higher

🔧 Temporary Workarounds

Disable automatic loading

linux

Disable RVM's automatic loading of environment files from current directory

export rvm_project_rvmrc=0
export rvm_ignore_rvmrc=1

Use alternative Ruby manager

linux

Temporarily switch to rbenv or system Ruby until RVM is patched

🧯 If You Can't Patch

  • Implement strict directory permissions to prevent unauthorized file creation in shared directories
  • Educate users to avoid navigating to untrusted directories and to verify directory contents before changing to them

🔍 How to Verify

Check if Vulnerable:

Check RVM version with: rvm --version. If version is below 1.29.3, the system is vulnerable.

Check Version:

rvm --version

Verify Fix Applied:

After updating, verify with: rvm --version | grep -q '1\.29\.3\|1\.3[0-9]\|1\.[4-9][0-9]' && echo 'Patched' || echo 'Still vulnerable'

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution from RVM hooks
  • Suspicious file operations in .rvmrc or .versions.conf files
  • Unexpected gem installations

Network Indicators:

  • Unusual outbound connections following directory changes
  • Downloads from unexpected sources during gem installation

SIEM Query:

process.name:rvm AND (process.args:*hook* OR process.args:*install* OR process.args:*exec*)

📊 Metadata

CVE ID: CVE-2017-1000037
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 17, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON