FreeBSD : RubyGems -- multiple vulnerabilities (27b12d04-4722-11e9-8b7c-b5e01141761f)

High Nessus Plugin ID 122883

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

RubyGems Security Advisories :

CVE-2019-8320: Delete directory using symlink when decompressing tar

CVE-2019-8321: Escape sequence injection vulnerability in 'verbose'

CVE-2019-8322: Escape sequence injection vulnerability in 'gem owner'

CVE-2019-8323: Escape sequence injection vulnerability in API response handling

CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution

CVE-2019-8325: Escape sequence injection vulnerability in errors

Solution

Update the affected packages.

See Also

https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

https://github.com/rubygems/rubygems/blob/master/History.txt

http://www.nessus.org/u?430f1e1b

Plugin Details

Severity: High

ID: 122883

File Name: freebsd_pkg_27b12d04472211e98b7cb5e01141761f.nasl

Version: 1.4

Type: local

Published: 2019/03/18

Updated: 2020/02/05

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2019-8320

CVSS v2.0

Base Score: 8.8

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ruby23-gems, p-cpe:/a:freebsd:freebsd:ruby24-gems, p-cpe:/a:freebsd:freebsd:ruby25-gems, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 2019/03/15

Vulnerability Publication Date: 2019/03/05

Reference Information

CVE: CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325