Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.

The remote Ubuntu 18.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-4870-1 advisory.

  - Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage     location for gems, if locations under the user's home directory are not available. If Bundler is used in a     scenario where the user does not have a writable home directory, an attacker could place malicious code in     this directory that would be later loaded and executed. (CVE-2019-3881)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:2588 advisory.

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within     File.fnmatch functions. (CVE-2019-15845)

  - WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a     regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server     that uses DigestAuth to the Internet or a untrusted network. (CVE-2019-16201)

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a     program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to     insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this     issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not     address an isolated CR or an isolated LF. (CVE-2019-16254)

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first     argument (aka the command argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An     attacker can exploit this to call an arbitrary Ruby method. (CVE-2019-16255)

  - Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage     location for gems, if locations under the user's home directory are not available. If Bundler is used in a     scenario where the user does not have a writable home directory, an attacker could place malicious code in     this directory that would be later loaded and executed. (CVE-2019-3881)

  - The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through     2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not     rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead     to creation of a malicious object within the interpreter, with adverse effects that are application-     dependent. (CVE-2020-10663)

  - An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls     BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit     the requested size, but no data is copied. Thus, the buffer string provides the previous value of the     heap. This may expose possibly sensitive data from the interpreter. (CVE-2020-10933)

  - An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a     simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An     attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header     check), which may lead to an HTTP Request Smuggling attack. (CVE-2020-25613)

  - The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not     properly address XML round-trip issues. An incorrect document can be produced after parsing and     serializing. (CVE-2021-28965)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2230 advisory.

  - ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)

  - ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication     (CVE-2019-16201)

  - ruby: HTTP response splitting in WEBrick (CVE-2019-16254)

  - ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)

  - rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code     (CVE-2019-3881)

  - rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)

  - ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)

  - ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)

  - ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:2588 advisory.

  - Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage     location for gems, if locations under the user's home directory are not available. If Bundler is used in a     scenario where the user does not have a writable home directory, an attacker could place malicious code in     this directory that would be later loaded and executed. (CVE-2019-3881)

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within     File.fnmatch functions. (CVE-2019-15845)

  - WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a     regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server     that uses DigestAuth to the Internet or a untrusted network. (CVE-2019-16201)

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a     program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to     insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this     issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not     address an isolated CR or an isolated LF. (CVE-2019-16254)

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first     argument (aka the command argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An     attacker can exploit this to call an arbitrary Ruby method. (CVE-2019-16255)

  - The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through     2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not     rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead     to creation of a malicious object within the interpreter, with adverse effects that are application-     dependent. (CVE-2020-10663)

  - An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls     BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit     the requested size, but no data is copied. Thus, the buffer string provides the previous value of the     heap. This may expose possibly sensitive data from the interpreter. (CVE-2020-10933)

  - An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a     simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An     attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header     check), which may lead to an HTTP Request Smuggling attack. (CVE-2020-25613)

  - The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not     properly address XML round-trip issues. An incorrect document can be produced after parsing and     serializing. (CVE-2021-28965)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the rubygem package has been released.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-2588 advisory.

  - The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through     2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not     rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead     to creation of a malicious object within the interpreter, with adverse effects that are application-     dependent. (CVE-2020-10663)

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within     File.fnmatch functions. (CVE-2019-15845)

  - WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a     regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server     that uses DigestAuth to the Internet or a untrusted network. (CVE-2019-16201)

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a     program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to     insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this     issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not     address an isolated CR or an isolated LF. (CVE-2019-16254)

  - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first     argument (aka the command argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An     attacker can exploit this to call an arbitrary Ruby method. (CVE-2019-16255)

  - An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a     simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An     attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header     check), which may lead to an HTTP Request Smuggling attack. (CVE-2020-25613)

  - An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls     BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit     the requested size, but no data is copied. Thus, the buffer string provides the previous value of the     heap. This may expose possibly sensitive data from the interpreter. (CVE-2020-10933)

  - The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not     properly address XML round-trip issues. An incorrect document can be produced after parsing and     serializing. (CVE-2021-28965)

  - Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage     location for gems, if locations under the user's home directory are not available. If Bundler is used in a     scenario where the user does not have a writable home directory, an attacker could place malicious code in     this directory that would be later loaded and executed. (CVE-2019-3881)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:2588 advisory.

  - ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)

  - ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication     (CVE-2019-16201)

  - ruby: HTTP response splitting in WEBrick (CVE-2019-16254)

  - ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)

  - rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code     (CVE-2019-3881)

  - rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)

  - ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)

  - ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)

  - ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2588 advisory.

  - ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)

  - ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication     (CVE-2019-16201)

  - ruby: HTTP response splitting in WEBrick (CVE-2019-16254)

  - ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)

  - rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code     (CVE-2019-3881)

  - rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)

  - ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)

  - ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)

  - ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Gitlab reports :

Ability to steal a user's API access token through GitLab Pages

Prometheus denial of service via HTTP request with custom method

Unauthorized user is able to access private repository information under specific conditions

Regular expression denial of service in NuGet API

Regular expression denial of service in package uploads

Update curl dependency

CVE-2019-3881 mitigation

This update for rubygem-bundler fixes the following issue :

  - CVE-2019-3881: Fixed insecure permissions on a directory     in /tmp/ that allowed malicious code execution     (bsc#1143436).

This update was imported from the SUSE:SLE-15:Update update project.

This update for rubygem-bundler fixes the following issue :

CVE-2019-3881: Fixed insecure permissions on a directory in /tmp/ that allowed malicious code execution (bsc#1143436).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
183182	Ubuntu 18.04 ESM : Bundler vulnerability (USN-4870-1)	Nessus	Ubuntu Local Security Checks	high
179413	AlmaLinux 8 : ruby:2.6 (ALSA-2021:2588)	Nessus	Alma Linux Local Security Checks	high
165130	RHEL 7 : rh-ruby26-ruby (RHSA-2021:2230)	Nessus	Red Hat Local Security Checks	high
157798	Rocky Linux 8 : ruby:2.6 (RLSA-2021:2588)	Nessus	Rocky Linux Local Security Checks	high
151947	Photon OS 4.0: Rubygem PHSA-2021-4.0-0060	Nessus	PhotonOS Local Security Checks	high
151449	Oracle Linux 8 : ruby:2.6 (ELSA-2021-2588)	Nessus	Oracle Linux Local Security Checks	high
151146	CentOS 8 : ruby:2.6 (CESA-2021:2588)	Nessus	CentOS Local Security Checks	high
151143	RHEL 8 : ruby:2.6 (RHSA-2021:2588)	Nessus	Red Hat Local Security Checks	high
144815	FreeBSD : Gitlab -- multiple vulnerabilities (a2a2b34d-52b4-11eb-87cb-001b217b3468)	Nessus	FreeBSD Local Security Checks	high
138701	openSUSE Security Update : rubygem-bundler (openSUSE-2020-861)	Nessus	SuSE Local Security Checks	high
138681	openSUSE Security Update : rubygem-bundler (openSUSE-2020-803)	Nessus	SuSE Local Security Checks	high
138542	SUSE SLED15 / SLES15 Security Update : rubygem-bundler (SUSE-SU-2020:1582-2)	Nessus	SuSE Local Security Checks	high
137606	SUSE SLED15 / SLES15 Security Update : rubygem-bundler (SUSE-SU-2020:1582-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2019-3881

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high