PT-2019-1026 · Ruby+4 · Rubygems+4

Publicado

2019-03-27

Atualizado

2020-11-27

CVE-2019-8322

CVSS v2.0

7.8

Alta

Vetor

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions: RubyGems versions 2.6 through 3.0.2

Description: An issue in RubyGems allows the gem owner command to output the contents of the API response directly to stdout. This can lead to escape sequence injection if the response is crafted, potentially enabling a remote attacker to compromise data integrity by using a specially formed escape sequence.

Recommendations: For versions 2.6 through 3.0.2, consider disabling the gem owner command until a patch is available to prevent potential escape sequence injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Special Elements Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-74

Identificadores relacionados

ALBA-2019:3384

BDU:2020-00753

CESA-2019_1235

CVE-2019-8322

DLA-1735-1

DLA-1796-1

DLA-2330-1

DSA-4433-1

GHSA-MH37-8C3G-3FGC

MGASA-2020-0243

MGASA-2020-0440

OPENSUSE-SU-2019:1771-1

OPENSUSE-SU-2019_1771-1

RHSA-2019:1148

RHSA-2019:1150

RHSA-2019:1235

RHSA-2019:1429

RHSA-2019_1235

RHSA-2020:2769

SUSE-SU-2019:1804-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-3945-1

Produtos afetados

Centos

Red Hat

Rubygems

Suse

Ubuntu

PT-2019-1026 · Ruby+4 · Rubygems+4

CVE-2019-8322

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 147