PT-2019-4617 · Ruby+6 · Rubygems+6

Publicado

2019-03-27

Atualizado

2020-11-27

CVE-2019-8324

CVSS v2.0

9.3

Alta

Vetor

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions RubyGems versions 2.6 through 3.0.2

Description An issue in RubyGems allows an attacker to inject arbitrary code into the stub line of gemspec, which is eval-ed by code in ensure loadable spec during the preinstall check. This is due to incorrect handling of crafted gems with multi-line names. The vulnerability can be exploited by a remote attacker using a specially crafted string in the gemspec, potentially allowing the execution of arbitrary code.

Recommendations For RubyGems versions 2.6 through 3.0.2, consider disabling the ensure loadable spec function until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Code Injection

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94CWE-20

Identificadores relacionados

ALSA-2019:1972

BDU:2020-00760

CESA-2019_1235

CESA-2019_1972

CVE-2019-8324

DLA-1735-1

DLA-1796-1

DLA-2330-1

DSA-4433-1

GHSA-76WM-422Q-92MQ

MGASA-2020-0243

MGASA-2020-0440

OPENSUSE-SU-2019:1771-1

OPENSUSE-SU-2019_1771-1

RHSA-2019:1148

RHSA-2019:1150

RHSA-2019:1151

RHSA-2019:1235

RHSA-2019:1429

RHSA-2019:1972

RHSA-2019_1235

RHSA-2019_1972

RHSA-2020:2769

RLSA-2019:1972

SUSE-SU-2019:1804-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-3945-1

Produtos afetados

Almalinux

Centos

Red Hat

Rocky Linux

Rubygems

Suse

Ubuntu

PT-2019-4617 · Ruby+6 · Rubygems+6

CVE-2019-8324

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 142