CVE-2019-8323 — Injection in Rubygems

CWE-74 — Injection CWE-88 — Argument Injection10 documents7 sources

Severity

7.5HIGHNVD

OSV7.4

EPSS

0.3%

top 44.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubygems Jruby Debian Jruby +3 more

Timeline

PublishedJun 17

Latest updateJun 20

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/rubygems< jruby 9.1.17.0-3 (bookworm)

▶Debianrubygems/rubygems< 3.2.0~rc.1-1+3

▶NVDrubygems/rubygems2.6.0 — 3.0.2

▶debiandebian/jruby< jruby 9.1.17.0-3 (bookworm)

▶Debianjruby/jruby< 9.1.17.0-3+2

Also affects: Debian Linux 9.0

🔴Vulnerability Details

OSV

RubyGems Escape sequence injection vulnerability in api response handling↗2019-06-20

▶

GHSA

RubyGems Escape sequence injection vulnerability in api response handling↗2019-06-20

▶

OSV

CVE-2019-8323: An issue was discovered in RubyGems 2↗2019-06-17

▶

OSV

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities↗2019-04-11

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2019-04-11

▶

Red Hat

rubygems: Escape sequence injection vulnerability in API response handling↗2019-03-05

▶

Debian

CVE-2019-8323: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterU...↗2019

▶

💬Community

Bugzilla

CVE-2019-8323 rubygems: Escape sequence injection vulnerability in API response handling↗2019-03-25

▶

Bugzilla

CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 rubygems: various flaws [fedora-all]↗2019-03-25

▶