8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
Recent assessments:
busterb at May 09, 2019 5:57pm UTC reported:
Rubygems has a vulnerability that allows for arbitrary code execution while a gem is being installed. However, itβs unclear how this is any worse than either using the malicious gem itself, or using the ability of gems to compile and execute arbitrary build instructions in the first place. It is interesting to be able to name a gem a particular way to create code execution. But you have to convince someone to install your gem in the first place. I presume that rubygems.org now prevents malicious gems from being published, but it would be interesting to see.
0xEmma at March 15, 2020 7:14pm UTC reported:
Rubygems has a vulnerability that allows for arbitrary code execution while a gem is being installed. However, itβs unclear how this is any worse than either using the malicious gem itself, or using the ability of gems to compile and execute arbitrary build instructions in the first place. It is interesting to be able to name a gem a particular way to create code execution. But you have to convince someone to install your gem in the first place. I presume that rubygems.org now prevents malicious gems from being published, but it would be interesting to see.
avishwakarma-r7 at March 17, 2020 5:28am UTC reported:
Rubygems has a vulnerability that allows for arbitrary code execution while a gem is being installed. However, itβs unclear how this is any worse than either using the malicious gem itself, or using the ability of gems to compile and execute arbitrary build instructions in the first place. It is interesting to be able to name a gem a particular way to create code execution. But you have to convince someone to install your gem in the first place. I presume that rubygems.org now prevents malicious gems from being published, but it would be interesting to see.
Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 3
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P