2169 matches found
CVE-2019-8323
RubyGems 2.6 and later through 3.0.2 contain an escape sequence injection vulnerability in API response handling. Specifically, Gem::GemcutterUtilities#with_response may output the API response to stdout as it is, and if the response is crafted, this can be exploited. The issue is documented as C...
CVE-2019-8323
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilitieswithresponse may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur...
CVE-2019-8323
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilitieswithresponse may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur...
CVE-2019-8325
The CVE-2019-8325 issue is a vulnerability in RubyGems where Gem::CommandManager#run calls alert_error without escaping, enabling escape sequence injection (described as multiple ways to trigger an error). The connected Debian advisory confirms the impact is present in JRuby packages and lists CV...
CVE-2019-8325
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...
CVE-2019-8325
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...
CVE-2019-8325
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...
CVE-2019-8324
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...
CVE-2019-8324
RubyGems 2.6–3.0.2 contains CVE-2019-8324: a crafted gem with a multi-line name can inject code into the stub line of gemspec, which is eval-ed during the preinstall check, allowing arbitrary code execution during gem installation. Multiple downstream advisories confirm the issue and recommend up...
CVE-2019-8324
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...
CVE-2019-8324
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...
rubygems: Escape sequence injection vulnerability in gem owner
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur...
rubygems: Escape sequence injection vulnerability in verbose
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...
rubygems: Escape sequence injection vulnerability in errors
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...
ALPINE-CVE-2019-8320
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...
CVE-2019-8320
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...
CVE-2019-8320
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...
Directory traversal
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...
CVE-2019-8320
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...
CVE-2019-8320
RubyGems vulnerability CVE-2019-8320: A Directory Traversal flaw in RubyGems 2.7.6–3.0.2 can delete the target destination when creating directories or touching files, if the path is behind a symlink. This could allow a malicious gem to delete arbitrary files on the user’s machine due to symlink ...