2 matches found
Arbitrary Code Injection
Overview rubygems-update is an inbuilt rubygem for updating rubygems. Affected versions of this package are vulnerable to Arbitrary Code Injection due to the Gem::UserInteractionverbose function which calls say without escaping. Remediation Upgrade rubygems-update to version 2.7.9, 3.0.3 or highe...
rubygems: Escape sequence injection vulnerability in verbose
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...