CVE-2019-8324

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...

CVE-2019-8324

RubyGems 2.6–3.0.2 contains CVE-2019-8324: a crafted gem with a multi-line name can inject code into the stub line of gemspec, which is eval-ed during the preinstall check, allowing arbitrary code execution during gem installation. Multiple downstream advisories confirm the issue and recommend up...

CVE-2019-8324

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...

CVE-2019-8324

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...

rubygems: Escape sequence injection vulnerability in gem owner

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur...

rubygems: Escape sequence injection vulnerability in verbose

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...

rubygems: Escape sequence injection vulnerability in errors

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...

ALPINE-CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

Directory traversal

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

CVE-2019-8320

RubyGems vulnerability CVE-2019-8320: A Directory Traversal flaw in RubyGems 2.7.6–3.0.2 can delete the target destination when creating directories or touching files, if the path is behind a symlink. This could allow a malicious gem to delete arbitrary files on the user’s machine due to symlink ...

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

ruby, rubygem, rubygems security update

CentOS Errata and Security Advisory CESA-2019:1235 An update for ruby is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

Escape Sequence Injection

Rubygems is vulnerable to escape sequence injection vulnerability in verbose...

Remote Code Execution (RCE)

RubyGems is vulnerable to remote code execution attacks. YAML deserialization of gem specifications can bypass class white lists. A remote, unauthenticated attacker could create specially crafted, serialized objects to be possibly used for remote code execution...

Privilege Escalation

RubyGems is vulnerable to privilege escalation attacks. A remote, unauthenticated attacker could elevate their privileges by interacting with the terminal via the use of escape sequences with a specifically crafted gem. Improper sanitization of gems' specification text enables the attacker to...

Improper Access Control

RubyGems is vulnerable to improper access control. A remote attacker with the ability to manipulate DNS responses could direct the gem command towards a different domain due to unsanitize DNS responses when requesting the hostname of the rubygems server for a domain resulting in DNS hijacking...