CVE-2019-8321 — Argument Injection in Rubygems

CWE-88 — Argument Injection11 documents8 sources

Severity

7.5HIGHNVD

OSV7.4

EPSS

0.3%

top 44.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubygems Jruby Debian Linux +1 more

Timeline

PublishedJun 17

Latest updateJun 20

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Debianrubygems/rubygems< 3.2.0~rc.1-1+3

▶NVDrubygems/rubygems2.6.0 — 3.0.2

▶Debianjruby/jruby< 9.1.17.0-3+2

▶NVDopensuse/leap15.0, 15.1+1

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

RubyGems Escape sequence injection vulnerability in verbose↗2019-06-20

▶

OSV

RubyGems Escape sequence injection vulnerability in verbose↗2019-06-20

▶

CVEList

CVE-2019-8321: An issue was discovered in RubyGems 2↗2019-06-17

▶

OSV

CVE-2019-8321: An issue was discovered in RubyGems 2↗2019-06-17

▶

OSV

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities↗2019-04-11

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2019-04-11

▶

Red Hat

rubygems: Escape sequence injection vulnerability in verbose↗2019-03-05

▶

Debian

CVE-2019-8321: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::User...↗2019

▶

💬Community

Bugzilla

CVE-2019-8321 rubygems: Escape sequence injection vulnerability in verbose↗2019-03-25

▶

Bugzilla

CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 rubygems: various flaws [fedora-all]↗2019-03-25

▶