FreeBSD : RubyGems -- multiple vulnerabilities (27b12d04-4722-11e9-8b7c-b5e01141761f)

High Nessus Plugin ID 122883

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

RubyGems Security Advisories :

CVE-2019-8320: Delete directory using symlink when decompressing tar

CVE-2019-8321: Escape sequence injection vulnerability in 'verbose'

CVE-2019-8322: Escape sequence injection vulnerability in 'gem owner'

CVE-2019-8323: Escape sequence injection vulnerability in API response handling

CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution

CVE-2019-8325: Escape sequence injection vulnerability in errors

Solution

Update the affected packages.

See Also

https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

https://github.com/rubygems/rubygems/blob/master/History.txt

http://www.nessus.org/u?430f1e1b

Plugin Details

Severity: High

ID: 122883

File Name: freebsd_pkg_27b12d04472211e98b7cb5e01141761f.nasl

Version: 1.3

Type: local

Published: 2019/03/18

Updated: 2019/06/19

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 8.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:C/A:C

CVSS v3.0

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ruby23-gems, p-cpe:/a:freebsd:freebsd:ruby24-gems, p-cpe:/a:freebsd:freebsd:ruby25-gems, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2019/03/15

Vulnerability Publication Date: 2019/03/05

Reference Information

CVE: CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325