CVE-2019-10842

CVE-2019-10842 describes an arbitrary code execution backdoor in bootstrap-sass 3.2.0.3 when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64-encoded code to be executed via eval(), enabling remote code execution on the target system. The ...

CVE-2019-10842

Arbitrary code execution via backdoor code was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the cfduid cookie value with base64 arbitrary code to be executed via eval, which can be leveraged to execute arbitrary code on the target...

Remote code execution in bootstrap-sass

Arbitrary code execution via backdoor code, when downloaded from rubygems.org was discovered in bootstrap-sass 3.2.0.3. Users are advised to upgrade immediately to 3.2.0.4 An unauthenticated attacker can craft the cfduid cookie value with base64 arbitrary code to be executed via eval, which can b...

Debian: Security Advisory (DLA-1735-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DLA-1735-1 : ruby2.1 security update

Several vulnerabilities have been discovered in rubygems embedded in ruby2.1, the interpreted scripting language. CVE-2019-8320 A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files which now include path-checking code for symlinks, it would delet...

[SECURITY] [DLA 1735-1] ruby2.1 security update

Package : ruby2.1 Version : 2.1.5-2+deb8u7 CVE ID : CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 Several vulnerabilities have been discovered in rubygems embedded in ruby2.1, the interpreted scripting language. CVE-2019-8320 A Directory Traversal issue was discovered in...

CVE-2019-8321

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

CVE-2019-8323

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilitieswithresponse may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur...

CVE-2019-8322

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur...

CVE-2019-8324

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...

UBUNTU-CVE-2019-8321

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...

UBUNTU-CVE-2019-8324

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...

UBUNTU-CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

CVE-2019-8325

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...

UBUNTU-CVE-2019-8322

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur...

WPScan v3.4.5 - Black Box WordPress Vulnerability Scanner

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. INSTALL Prerequisites Optional but highly recommended: RVM Ruby = 2.3 - Recommended: latest Ruby 2.5.0 to 2.5.3 can caus...

FreeBSD : RubyGems -- multiple vulnerabilities (27b12d04-4722-11e9-8b7c-b5e01141761f)

RubyGems Security Advisories : CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in 'verbose' CVE-2019-8322: Escape sequence injection vulnerability in 'gem owner' CVE-2019-8323: Escape sequence injection vulnerability in A...

RubyGems Code Execution Vulnerability

RubyGems is a Ruby package manager from the RubyGems organization. The product is mainly used for publishing and managing Ruby packages. A security vulnerability exists in RubyGems versions 2.6 through 3.0.2, which stems from Gem::CommandManagerrun calling alerterror without escaping, and can be...

RubyGems Code Execution Vulnerability (CNVD-2019-12149)

RubyGems is a Ruby package manager from the RubyGems organization. The product is mainly used for publishing and managing Ruby packages. A security vulnerability exists in RubyGems versions 2.6 through 3.0.2, which stems from the program not properly handling gem with multiple lines in the name.A...