CVE-2019-8324 — Code Injection in Rubygems

CWE-94 — Code Injection CWE-20 — Improper Input Validation11 documents8 sources

Severity

8.8HIGHNVD

OSV7.4

EPSS

0.5%

top 33.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubygems Jruby Debian Jruby +4 more

Timeline

PublishedJun 17

Latest updateJun 20

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶debiandebian/rubygems< jruby 9.1.17.0-3 (bookworm)

▶Debianrubygems/rubygems< 3.2.0~rc.1-1+3

▶NVDrubygems/rubygems2.6.0 — 3.0.2

▶debiandebian/jruby< jruby 9.1.17.0-3 (bookworm)

▶Debianjruby/jruby< 9.1.17.0-3+2

Also affects: Debian Linux 9.0, Enterprise Linux 8.0

🔴Vulnerability Details

OSV

Code injection in RubyGems↗2019-06-20

▶

GHSA

Code injection in RubyGems↗2019-06-20

▶

CVEList

CVE-2019-8324: An issue was discovered in RubyGems 2↗2019-06-17

▶

OSV

CVE-2019-8324: An issue was discovered in RubyGems 2↗2019-06-17

▶

OSV

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities↗2019-04-11

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2019-04-11

▶

Red Hat

rubygems: Installing a malicious gem may lead to arbitrary code execution↗2019-03-05

▶

Debian

CVE-2019-8324: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem w...↗2019

▶

💬Community

Bugzilla

CVE-2019-8324 rubygems: Installing a malicious gem may lead to arbitrary code execution↗2019-03-25

▶

Bugzilla

CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 rubygems: various flaws [fedora-all]↗2019-03-25

▶