PT-2019-1024 · Ruby+2 · Rubygems+2

Ooooooo_Q

Published

2019-03-27

Updated

2020-11-27

CVE-2019-8320

CVSS v2.0

8.8

High

Vector

AV:N/AC:M/Au:N/C:N/I:C/A:C

Name of the Vulnerable Software and Affected Versions: RubyGems versions 2.7.6 through 3.0.2

Description: A Directory Traversal issue was discovered in RubyGems. The issue allows a malicious gem to delete arbitrary files on the user's machine if the attacker can guess the paths, potentially leading to data loss or an unusable system. This is particularly concerning given how frequently the gem is run as sudo and the predictability of paths on modern systems.

Recommendations: For versions 2.7.6 through 3.0.2, update to a version later than 3.0.2 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALBA-2019:3384

BDU:2019-03332

CVE-2019-8320

DLA-1735-1

DLA-2330-1

DSA-4433-1

GHSA-5X32-C9MF-49CC

MGASA-2020-0243

MGASA-2020-0440

OPENSUSE-SU-2019:1771-1

OPENSUSE-SU-2019_1771-1

RHSA-2019:1148

RHSA-2019:1150

RHSA-2019:1429

SUSE-SU-2019:1804-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-3945-1

Affected Products

Rubygems

Suse

Ubuntu

PT-2019-1024 · Ruby+2 · Rubygems+2

CVE-2019-8320

Weakness Enumeration

Related Identifiers

Affected Products

References · 142