CVE-2019-13354

Name of the Vulnerable Software and Affected Versions strong password gem version 0.0.7

Description A code-execution backdoor was inserted into the strong password gem by a third party. This backdoor allows the execution of external code controlled by an unknown attacker, which is hosted on the Pastebin service. The strong password gem has been downloaded approximately 247,000 times, with version 0.6 being downloaded around 38,000 times. The malicious version 0.0.7 has been downloaded 537 times, although the accuracy of this number is uncertain since the release has been removed from Ruby Gems.

Recommendations For version 0.0.7, update to version 0.0.8 or earlier version 0.0.6 to remove the code-execution backdoor. As a temporary workaround, consider avoiding the use of the strong password gem until a secure version is installed.