FreeBSD : RubyGems -- multiple vulnerabilities (27b12d04-4722-11e9-8b7c-b5e01141761f)
high Nessus Plugin ID 122883
Language:
Synopsis
The remote FreeBSD host is missing one or more security-related updates.Description
RubyGems Security Advisories :CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in 'verbose'
CVE-2019-8322: Escape sequence injection vulnerability in 'gem owner'
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Solution
Update the affected packages.See Also
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
https://github.com/rubygems/rubygems/blob/master/History.txt
Plugin Details
Severity: High
ID: 122883
File Name: freebsd_pkg_27b12d04472211e98b7cb5e01141761f.nasl
Version: 1.4
Type: local
Family: FreeBSD Local Security Checks
Published: 3/18/2019
Updated: 2/5/2020
Risk Information
CVSS Score Source: CVE-2019-8320
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 8.8
Temporal Score: 6.5
Vector: AV:N/AC:M/Au:N/C:N/I:C/A:C
Temporal Vector: E:U/RL:OF/RC:C
CVSS v3
Risk Factor: High
Base Score: 7.4
Temporal Score: 6.4
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Temporal Vector: E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:freebsd:freebsd:ruby23-gems, p-cpe:/a:freebsd:freebsd:ruby24-gems, p-cpe:/a:freebsd:freebsd:ruby25-gems, cpe:/o:freebsd:freebsd
Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info
Exploit Ease: No known exploits are available
Patch Publication Date: 3/15/2019
Vulnerability Publication Date: 3/5/2019
Reference Information
CVE: CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325