RubyGems Escape sequence injection in errors · CVE-2019-8325 · GitHub Advisory Database · GitHub

RubyGems Escape sequence injection in errors

High severity GitHub Reviewed Published Jun 20, 2019 to the GitHub Advisory Database • Updated Aug 28, 2023

Package

rubygems-update (RubyGems)

Affected versions

>= 2.6.0, < 2.7.9

>= 3.0.0, < 3.0.2

Patched versions

2.7.9

3.0.2

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

References

Reviewed Jun 20, 2019

Published to the GitHub Advisory Database Jun 20, 2019

Last updated Aug 28, 2023

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N