RubyGems Code Execution Vulnerability (CNVD-2019-12147)

RubyGems is a Ruby package manager from the RubyGems organization. The product is mainly used for publishing and managing Ruby packages. A security vulnerability exists in RubyGems versions 2.6 through 3.0.2 in gem owner, which stems from the gem owner command exporting the contents of an API...

RubyGems Path Traversal Vulnerability

RubyGems is a Ruby package manager from the RubyGems organization. The product is mainly used for publishing and managing Ruby packages. A directory traversal vulnerability exists in RubyGems versions 2.7.6 through 3.0.2. An attacker can exploit this vulnerability to delete arbitrary files on a...

Escape sequence injection vulnerability in verbose

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...

RubyGems -- multiple vulnerabilities

RubyGems Security Advisories: CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in 'verbose' CVE-2019-8322: Escape sequence injection vulnerability in 'gem owner' CVE-2019-8323: Escape sequence injection vulnerability in AP...

Escape sequence injection vulnerability in errors

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...

Escape sequence injection vulnerability in gem owner

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur...

Installing a malicious gem may lead to arbitrary code execution

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...

Delete directory using symlink when decompressing tar

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

Escape sequence injection vulnerability in api response handling

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilitieswithresponse may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur...

GHSA-HHXM-4F85-RGR8 High severity vulnerability that affects many_versioned_gem

Logs password in plaintext Impact Logs the password used in plaintext. The password should masked in logs to prevent it leaking. Patches Has the problem been patched? What versions should users upgrade to? Workarounds none See also Are there any links users can visit to find out more information?...

High severity vulnerability that affects many_versioned_gem

Logs password in plaintext Impact Logs the password used in plaintext. The password should masked in logs to prevent it leaking. Patches Has the problem been patched? What versions should users upgrade to? Workarounds none See also Are there any links users can visit to find out more information?...

Denial Of Service (DoS) Via CPU Consumption

RubyGems is vulnerable to a denial of service DoS attack. It is possible due to a flaw in Gem::Version::VERSIONPATTERN in lib/rubygems/version.rb which allows a malicious gem version to cause a large amount of backtracking in a regular expression...

Man-in-the-Middle (MitM)

rubygems is vulnerable to man-in-the-middle attack MitM. HTTPS connection are redirected to HTTP, which allows for an attacker to sniff network traffic and obtain confidential information or modify a gem during installation...

ruby, rubygem, rubygems security update

CentOS Errata and Security Advisory CESA-2018:3738 An update for ruby is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

RHEL 6 : rubygem packages (RHSA-2013:0728)

This update fixes one security issue in multiple rubygem packages for Red Hat OpenShift Enterprise 1.1.3. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

RHEL 6 : rubygems (RHSA-2013:1203)

An updated rubygems package that fixes two security issues is now available for Red Hat OpenShift Enterprise 1.2.2. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

RHEL 6 : rubygems (RHSA-2014:0207)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2014:0207 advisory. RubyGems is the Ruby standard for publishing and managing third-party libraries. It was discovered that the rubygems API validated version strings...

rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can...

rubygems: Improper verification of signatures in tarball allows to install mis-signed gem

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in...

rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code...