PT-2019-1026 · Ruby+4 · Rubygems+4

Published

2019-03-27

Updated

2020-11-27

CVE-2019-8322

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions: RubyGems versions 2.6 through 3.0.2

Description: An issue in RubyGems allows the gem owner command to output the contents of the API response directly to stdout. This can lead to escape sequence injection if the response is crafted, potentially enabling a remote attacker to compromise data integrity by using a specially formed escape sequence.

Recommendations: For versions 2.6 through 3.0.2, consider disabling the gem owner command until a patch is available to prevent potential escape sequence injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

ALBA-2019:3384

BDU:2020-00753

CESA-2019_1235

CVE-2019-8322

DLA-1735-1

DLA-1796-1

DLA-2330-1

DSA-4433-1

GHSA-MH37-8C3G-3FGC

MGASA-2020-0243

MGASA-2020-0440

OPENSUSE-SU-2019:1771-1

OPENSUSE-SU-2019_1771-1

RHSA-2019:1148

RHSA-2019:1150

RHSA-2019:1235

RHSA-2019:1429

RHSA-2019_1235

RHSA-2020:2769

SUSE-SU-2019:1804-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-3945-1

Affected Products

Centos

Red Hat

Rubygems

Suse

Ubuntu

PT-2019-1026 · Ruby+4 · Rubygems+4

CVE-2019-8322

Weakness Enumeration

Related Identifiers

Affected Products

References · 147