CVE-2019-8325 — Injection in Rubygems

CWE-74 — Injection CWE-88 — Argument Injection11 documents8 sources

Severity

7.5HIGHNVD

OSV7.4

EPSS

0.3%

top 44.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubygems Jruby Debian Jruby +3 more

Timeline

PublishedJun 17

Latest updateJun 20

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/rubygems< jruby 9.1.17.0-3 (bookworm)

▶Debianrubygems/rubygems< 3.2.0~rc.1-1+3

▶NVDrubygems/rubygems2.6.0 — 3.0.2

▶debiandebian/jruby< jruby 9.1.17.0-3 (bookworm)

▶Debianjruby/jruby< 9.1.17.0-3+2

Also affects: Debian Linux 9.0

🔴Vulnerability Details

OSV

RubyGems Escape sequence injection in errors↗2019-06-20

▶

GHSA

RubyGems Escape sequence injection in errors↗2019-06-20

▶

OSV

CVE-2019-8325: An issue was discovered in RubyGems 2↗2019-06-17

▶

CVEList

CVE-2019-8325: An issue was discovered in RubyGems 2↗2019-06-17

▶

OSV

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities↗2019-04-11

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2019-04-11

▶

Red Hat

rubygems: Escape sequence injection vulnerability in errors↗2019-03-05

▶

Debian

CVE-2019-8325: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::Comm...↗2019

▶

💬Community

Bugzilla

CVE-2019-8325 rubygems: Escape sequence injection vulnerability in errors↗2019-03-25

▶

Bugzilla

CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 rubygems: various flaws [fedora-all]↗2019-03-25

▶