Arbitrary Code Injection in ruby

Do your applications use this vulnerable package? Test your applications

Overview

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

References

CVE Details
Debian Security Tracker
HackerOne Report
MLIST
OpenSuse Security Announcement
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

High
Availability

None

CVE: CVE-2019-8323
CWE: CWE-74
Snyk ID: SNYK-ALPINE38-RUBY-452447
Disclosed: 17 Jun, 2019
Published: 27 Mar, 2019

Arbitrary Code Injection
Affecting ruby package, versions <2.5.5-r0

Overview

References

CVSS Score

Arbitrary Code Injection Affecting ruby package, versions <2.5.5-r0

Overview

References

Arbitrary Code Injection
Affecting ruby package, versions <2.5.5-r0