<p>Upgrade <code>rubygems-update</code> to version 2.7.8, 3.0.3 or higher.</p>

Out-of-Bounds Affecting rubygems-update package, versions <2.7.8 >=3.0.0, <3.0.3

Snyk CVSS

Attack Complexity Low

Integrity High

Threat Intelligence

EPSS 0.15% (51^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-RUBYGEMSUPDATE-472646
published 13 Nov 2019
disclosed 5 Mar 2019
credit ooooooo_q

Report a new vulnerability Found a mistake?

Introduced: 5 Mar 2019

CVE-2019-8325 Open this link in a new tab CWE-119 Open this link in a new tab

How to fix?

Upgrade rubygems-update to version 2.7.8, 3.0.3 or higher.

Overview

rubygems-update is an inbuilt rubygem for updating rubygems.

Affected versions of this package are vulnerable to Out-of-Bounds. Gem::CommandManager#run calls alert_error without escaping, therefore escape sequence injection is possible.

References

HackerOne Report
Patch Fix Commit
RedHat Bugzilla Bug
RubyGems Security Advisory