Malicious Package Affecting strong_password package, versions =0.0.7

Q: How to fix?

<p>Avoid using <code>strong_password</code> v0.0.7 altogether. Downgrading to v0.0.6 will ensure no malicious code execution is possible.</p>

Threat Intelligence

Mature

0.76% (81^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-STRONGPASSWORD-451547
published 6 Jul 2019
disclosed 3 Jul 2019
credit WithaTwist

Report a new vulnerability Found a mistake?

Introduced: 3 Jul 2019

Malicious CVE-2019-13354 Open this link in a new tab CWE-506 Open this link in a new tab

How to fix?

Avoid using strong_password v0.0.7 altogether. Downgrading to v0.0.6 will ensure no malicious code execution is possible.

Overview

strong_password is a is an entropy-based password strength checking for Ruby and ActiveModel

This gem was hijacked by a malicious actor, who has published v0.0.7 containing malicious code that enables them to execute remote code in production.

References

WithATwist Blog

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High