Arbitrary Argument Injection in ruby

Do your applications use this vulnerable package? Test your applications

Overview

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

References

CVE Details
Debian Security Tracker
HackerOne Report
MLIST
OpenSuse Security Announcement
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

High
Availability

None

CVE: CVE-2019-8321
CWE: CWE-88
Snyk ID: SNYK-ALPINE38-RUBY-452148
Disclosed: 17 Jun, 2019
Published: 27 Mar, 2019

Arbitrary Argument Injection
Affecting ruby package, versions <2.5.5-r0

Overview

References

CVSS Score

Arbitrary Argument Injection Affecting ruby package, versions <2.5.5-r0

Overview

References

Arbitrary Argument Injection
Affecting ruby package, versions <2.5.5-r0