CVE-2019-8321

Опубликовано: 17 июн. 2019

Источник: debian

Описание

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
ruby2.5	fixed	2.5.5-1		package
ruby2.3	removed			package
ruby2.1	removed			package
ruby2.1	not-affected		jessie	package
rubygems	fixed	3.2.0~rc.1-1		package
jruby	fixed	9.1.17.0-3		package

Примечания

https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b

Связанные уязвимости

CVE-2019-8321

CVSS3: 7.5

ubuntu

больше 6 лет назад

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

CVE-2019-8321

CVSS3: 5.3

redhat

почти 7 лет назад

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

CVE-2019-8321

CVSS3: 7.5

nvd

больше 6 лет назад

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

GHSA-fr32-gr5c-xq5c

CVSS3: 7.5

github

больше 6 лет назад

RubyGems Escape sequence injection vulnerability in verbose

BDU:2020-00752

CVSS3: 5.9

fstec

больше 6 лет назад

Уязвимость модуля Gem::UserInteraction системы управления пакетами RubyGems, позволяющая нарушителю нарушить целостность данных