CVE-2019-8323MEDIUM
Description
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
References
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
https://hackerone.com/reports/315081
https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
Details
Source: MITRE
Published: 2019-06-17
Updated: 2020-08-19
Type: CWE-74
Risk Information
CVSS v2.0
Base Score: 5
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 10
Severity: MEDIUM
CVSS v3.0
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Impact Score: 3.6
Exploitability Score: 3.9
Severity: HIGH
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:* versions from 2.6.0 to 3.0.2 (inclusive)
Configuration 2
OR
Configuration 3
OR
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 139628 | Debian DLA-2330-1 : jruby security update | Nessus | Debian Local Security Checks | high |
| 137897 | RHEL 7 : ruby (RHSA-2020:2769) | Nessus | Red Hat Local Security Checks | medium |
| 137599 | SUSE SLES12 Security Update : ruby2.1 (SUSE-SU-2020:1570-1) | Nessus | SuSE Local Security Checks | high |
| 127811 | Amazon Linux AMI : ruby20 / ruby21,ruby24 (ALAS-2019-1255) | Nessus | Amazon Linux Local Security Checks | high |
| 127299 | NewStart CGSL CORE 5.05 / MAIN 5.05 : ruby Multiple Vulnerabilities (NS-SA-2019-0084) | Nessus | NewStart CGSL Local Security Checks | medium |
| 127292 | NewStart CGSL CORE 5.04 / MAIN 5.04 : ruby Multiple Vulnerabilities (NS-SA-2019-0080) | Nessus | NewStart CGSL Local Security Checks | medium |
| 126961 | Amazon Linux 2 : ruby (ALAS-2019-1249) | Nessus | Amazon Linux Local Security Checks | medium |
| 126904 | openSUSE Security Update : ruby-bundled-gems-rpmhelper / ruby2.5 (openSUSE-2019-1771) | Nessus | SuSE Local Security Checks | high |
| 126846 | EulerOS 2.0 SP2 : ruby (EulerOS-SA-2019-1718) | Nessus | Huawei Local Security Checks | high |
| 126617 | SUSE SLED15 / SLES15 Security Update : ruby-bundled-gems-rpmhelper, ruby2.5 (SUSE-SU-2019:1804-1) | Nessus | SuSE Local Security Checks | high |
| 125569 | EulerOS Virtualization for ARM 64 3.0.2.0 : ruby (EulerOS-SA-2019-1617) | Nessus | Huawei Local Security Checks | high |
| 125524 | EulerOS 2.0 SP5 : ruby (EulerOS-SA-2019-1597) | Nessus | Huawei Local Security Checks | medium |
| 125316 | CentOS 7 : ruby (CESA-2019:1235) | Nessus | CentOS Local Security Checks | medium |
| 125297 | Debian DLA-1796-1 : jruby security update | Nessus | Debian Local Security Checks | high |
| 125208 | Scientific Linux Security Update : ruby on SL7.x x86_64 (20190515) | Nessus | Scientific Linux Local Security Checks | medium |
| 125201 | RHEL 7 : ruby (RHSA-2019:1235) | Nessus | Red Hat Local Security Checks | medium |
| 125191 | Oracle Linux 7 : ruby (ELSA-2019-1235) | Nessus | Oracle Linux Local Security Checks | medium |
| 124728 | Fedora 28 : ruby (2019-feac6674b7) | Nessus | Fedora Local Security Checks | high |
| 124574 | Fedora 29 : ruby (2019-a155364f3c) | Nessus | Fedora Local Security Checks | high |
| 124096 | Debian DSA-4433-1 : ruby2.3 - security update | Nessus | Debian Local Security Checks | high |
| 123522 | Debian DLA-1735-1 : ruby2.1 security update | Nessus | Debian Local Security Checks | high |
| 122883 | FreeBSD : RubyGems -- multiple vulnerabilities (27b12d04-4722-11e9-8b7c-b5e01141761f) | Nessus | FreeBSD Local Security Checks | high |