Arbitrary Code Injection in ruby2.3

Do your applications use this vulnerable package? Test your applications

Overview

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

References

CVE Details
Debian Security Tracker
HackerOne Report
MLIST
OpenSuse Security Announcement
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

High
Availability

None

CVE: CVE-2019-8322
CWE: CWE-74
Snyk ID: SNYK-DEBIAN9-RUBY23-341469
Disclosed: 17 Jun, 2019
Published: 27 Mar, 2019

Arbitrary Code Injection
Affecting ruby2.3 package, versions <2.3.3-1+deb9u6

Overview

References

CVSS Score

Arbitrary Code Injection Affecting ruby2.3 package, versions <2.3.3-1+deb9u6

Overview

References

Arbitrary Code Injection
Affecting ruby2.3 package, versions <2.3.3-1+deb9u6