9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.014 Low
EPSS
Percentile
86.3%
Package : jruby
Version : 1.5.6-9+deb8u1
CVE ID : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321
CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
Debian Bug : 895778 925987
Multiple vulnerabilities have been discovered in jruby, Java
implementation of the Ruby programming language.
CVE-2018-1000074
Deserialization of Untrusted Data vulnerability in owner command
that can result in code execution. This attack appear to be
exploitable via victim must run the `gem owner` command on a gem
with a specially crafted YAML file
CVE-2018-1000075
an infinite loop caused by negative size vulnerability in ruby gem
package tar header that can result in a negative size could cause an
infinite loop
CVE-2018-1000076
Improper Verification of Cryptographic Signature vulnerability in
package.rb that can result in a mis-signed gem could be installed,
as the tarball would contain multiple gem signatures.
CVE-2018-1000077
Improper Input Validation vulnerability in ruby gems specification
homepage attribute that can result in a malicious gem could set an
invalid homepage URL
CVE-2018-1000078
Cross Site Scripting (XSS) vulnerability in gem server display of
homepage attribute that can result in XSS. This attack appear to be
exploitable via the victim must browse to a malicious gem on a
vulnerable gem server
CVE-2019-8321
Gem::UserInteraction#verbose calls say without escaping, escape
sequence injection is possible
CVE-2019-8322
The gem owner command outputs the contents of the API response
directly to stdout. Therefore, if the response is crafted, escape
sequence injection may occur
CVE-2019-8323
Gem::GemcutterUtilities#with_response may output the API response to
stdout as it is. Therefore, if the API side modifies the response,
escape sequence injection may occur.
CVE-2019-8324
A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line
of gemspec
CVE-2019-8325
Gem::CommandManager#run calls alert_error without escaping, escape
sequence injection is possible. (There are many ways to cause an
error.)
For Debian 8 "Jessie", these problems have been fixed in version
1.5.6-9+deb8u1.
We recommend that you upgrade your jruby packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 9 | armel | ruby2.3 | < 2.3.3-1+deb9u3 | ruby2.3_2.3.3-1+deb9u3_armel.deb |
Debian | 9 | s390x | ruby2.3-tcltk-dbgsym | < 2.3.3-1+deb9u3 | ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u3_s390x.deb |
Debian | 8 | armel | ruby2.1-dev | < 2.1.5-2+deb8u4 | ruby2.1-dev_2.1.5-2+deb8u4_armel.deb |
Debian | 7 | all | rubygems-doc | < 1.8.24-1+deb7u2 | rubygems-doc_1.8.24-1+deb7u2_all.deb |
Debian | 9 | i386 | ruby2.3-tcltk-dbgsym | < 2.3.3-1+deb9u3 | ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u3_i386.deb |
Debian | 8 | all | jruby | < 1.5.6-9+deb8u1 | jruby_1.5.6-9+deb8u1_all.deb |
Debian | 9 | amd64 | ruby2.3-dbgsym | < 2.3.3-1+deb9u3 | ruby2.3-dbgsym_2.3.3-1+deb9u3_amd64.deb |
Debian | 8 | armel | ruby2.1-tcltk | < 2.1.5-2+deb8u4 | ruby2.1-tcltk_2.1.5-2+deb8u4_armel.deb |
Debian | 7 | amd64 | libtcltk-ruby1.9.1 | < 1.9.3.194-8.1+deb7u8 | libtcltk-ruby1.9.1_1.9.3.194-8.1+deb7u8_amd64.deb |
Debian | 9 | s390x | ruby2.3 | < 2.3.3-1+deb9u3 | ruby2.3_2.3.3-1+deb9u3_s390x.deb |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.014 Low
EPSS
Percentile
86.3%