CVE-2019-8324

MEDIUM

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.

References

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html

https://access.redhat.com/errata/RHSA-2019:1972

https://hackerone.com/reports/328571

https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html

Details

Source: MITRE

Published: 2019-06-17

Updated: 2020-08-24

Type: CWE-94

Risk Information

CVSS v2.0

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.8

Severity: HIGH

Tenable Plugins

View all (24 total)

ID	Name	Product	Family	Severity
139628	Debian DLA-2330-1 : jruby security update	Nessus	Debian Local Security Checks	high
137897	RHEL 7 : ruby (RHSA-2020:2769)	Nessus	Red Hat Local Security Checks	medium
137599	SUSE SLES12 Security Update : ruby2.1 (SUSE-SU-2020:1570-1)	Nessus	SuSE Local Security Checks	high
127811	Amazon Linux AMI : ruby20 / ruby21,ruby24 (ALAS-2019-1255)	Nessus	Amazon Linux Local Security Checks	high
127642	RHEL 8 : ruby:2.5 (RHSA-2019:1972)	Nessus	Red Hat Local Security Checks	medium
127610	Oracle Linux 8 : ruby:2.5 (ELSA-2019-1972)	Nessus	Oracle Linux Local Security Checks	medium
127299	NewStart CGSL CORE 5.05 / MAIN 5.05 : ruby Multiple Vulnerabilities (NS-SA-2019-0084)	Nessus	NewStart CGSL Local Security Checks	medium
127292	NewStart CGSL CORE 5.04 / MAIN 5.04 : ruby Multiple Vulnerabilities (NS-SA-2019-0080)	Nessus	NewStart CGSL Local Security Checks	medium
126961	Amazon Linux 2 : ruby (ALAS-2019-1249)	Nessus	Amazon Linux Local Security Checks	medium
126904	openSUSE Security Update : ruby-bundled-gems-rpmhelper / ruby2.5 (openSUSE-2019-1771)	Nessus	SuSE Local Security Checks	high
126846	EulerOS 2.0 SP2 : ruby (EulerOS-SA-2019-1718)	Nessus	Huawei Local Security Checks	high
126617	SUSE SLED15 / SLES15 Security Update : ruby-bundled-gems-rpmhelper, ruby2.5 (SUSE-SU-2019:1804-1)	Nessus	SuSE Local Security Checks	high
125569	EulerOS Virtualization for ARM 64 3.0.2.0 : ruby (EulerOS-SA-2019-1617)	Nessus	Huawei Local Security Checks	high
125524	EulerOS 2.0 SP5 : ruby (EulerOS-SA-2019-1597)	Nessus	Huawei Local Security Checks	medium
125316	CentOS 7 : ruby (CESA-2019:1235)	Nessus	CentOS Local Security Checks	medium
125297	Debian DLA-1796-1 : jruby security update	Nessus	Debian Local Security Checks	high
125208	Scientific Linux Security Update : ruby on SL7.x x86_64 (20190515)	Nessus	Scientific Linux Local Security Checks	medium
125201	RHEL 7 : ruby (RHSA-2019:1235)	Nessus	Red Hat Local Security Checks	medium
125191	Oracle Linux 7 : ruby (ELSA-2019-1235)	Nessus	Oracle Linux Local Security Checks	medium
124728	Fedora 28 : ruby (2019-feac6674b7)	Nessus	Fedora Local Security Checks	high
124574	Fedora 29 : ruby (2019-a155364f3c)	Nessus	Fedora Local Security Checks	high
124096	Debian DSA-4433-1 : ruby2.3 - security update	Nessus	Debian Local Security Checks	high
123522	Debian DLA-1735-1 : ruby2.1 security update	Nessus	Debian Local Security Checks	high
122883	FreeBSD : RubyGems -- multiple vulnerabilities (27b12d04-4722-11e9-8b7c-b5e01141761f)	Nessus	FreeBSD Local Security Checks	high

CVE-2019-8324

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins