Do your applications use this vulnerable package?
Test your applications
Overview
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
References
CVSS Score
8.8
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionRequired
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityHigh
- CVE
- CVE-2019-8324
- CWE
- CWE-94
- Snyk ID
- SNYK-ALPINE39-RUBY-449742
- Disclosed
- 17 Jun, 2019
- Published
- 27 Mar, 2019