AmazonALAS2-2019-1249Important: ruby
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.6 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
67.7%
Issue Overview:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. (CVE-2019-8322)
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. (CVE-2019-8323)
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) (CVE-2019-8325)
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. (CVE-2019-8324)
Affected Packages:
ruby
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update ruby to update your system.
New Packages:
aarch64:
ruby-2.0.0.648-35.amzn2.0.1.aarch64
ruby-devel-2.0.0.648-35.amzn2.0.1.aarch64
ruby-libs-2.0.0.648-35.amzn2.0.1.aarch64
rubygem-bigdecimal-1.2.0-35.amzn2.0.1.aarch64
rubygem-io-console-0.4.2-35.amzn2.0.1.aarch64
rubygem-json-1.7.7-35.amzn2.0.1.aarch64
rubygem-psych-2.0.0-35.amzn2.0.1.aarch64
ruby-tcltk-2.0.0.648-35.amzn2.0.1.aarch64
ruby-debuginfo-2.0.0.648-35.amzn2.0.1.aarch64
i686:
ruby-2.0.0.648-35.amzn2.0.1.i686
ruby-devel-2.0.0.648-35.amzn2.0.1.i686
ruby-libs-2.0.0.648-35.amzn2.0.1.i686
rubygem-bigdecimal-1.2.0-35.amzn2.0.1.i686
rubygem-io-console-0.4.2-35.amzn2.0.1.i686
rubygem-json-1.7.7-35.amzn2.0.1.i686
rubygem-psych-2.0.0-35.amzn2.0.1.i686
ruby-tcltk-2.0.0.648-35.amzn2.0.1.i686
ruby-debuginfo-2.0.0.648-35.amzn2.0.1.i686
noarch:
rubygems-2.0.14.1-35.amzn2.0.1.noarch
rubygems-devel-2.0.14.1-35.amzn2.0.1.noarch
rubygem-rake-0.9.6-35.amzn2.0.1.noarch
ruby-irb-2.0.0.648-35.amzn2.0.1.noarch
rubygem-rdoc-4.0.0-35.amzn2.0.1.noarch
ruby-doc-2.0.0.648-35.amzn2.0.1.noarch
rubygem-minitest-4.3.2-35.amzn2.0.1.noarch
src:
ruby-2.0.0.648-35.amzn2.0.1.src
x86_64:
ruby-2.0.0.648-35.amzn2.0.1.x86_64
ruby-devel-2.0.0.648-35.amzn2.0.1.x86_64
ruby-libs-2.0.0.648-35.amzn2.0.1.x86_64
rubygem-bigdecimal-1.2.0-35.amzn2.0.1.x86_64
rubygem-io-console-0.4.2-35.amzn2.0.1.x86_64
rubygem-json-1.7.7-35.amzn2.0.1.x86_64
rubygem-psych-2.0.0-35.amzn2.0.1.x86_64
ruby-tcltk-2.0.0.648-35.amzn2.0.1.x86_64
ruby-debuginfo-2.0.0.648-35.amzn2.0.1.x86_64
Additional References
Red Hat: CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325
Mitre: CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.6 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
67.7%