CVE-2019-13354

Опубликовано: 08 июл. 2019

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6.

Ссылки

https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-strong_password-0-0-7/
Third Party Advisory
https://github.com/bdmac/strong_password/releases
Release Notes
Third Party Advisory
https://rubygems.org/gems/strong_password/versions
Release Notes
Third Party Advisory
https://withatwist.dev/strong-password-rubygem-hijacked.html
Third Party Advisory
https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-strong_password-0-0-7/
Third Party Advisory
https://github.com/bdmac/strong_password/releases
Release Notes
Third Party Advisory
https://rubygems.org/gems/strong_password/versions
Release Notes
Third Party Advisory
https://withatwist.dev/strong-password-rubygem-hijacked.html
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:strong_password_project:strong_password:0.0.7:*:*:*:*:ruby:*:*

EPSS

Процентиль: 72%

0.00728

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94

Связанные уязвимости

GHSA-5h5r-ffc4-c455