Allele Security Alert
Escape sequence injection vulnerability in gem owner
RubyGems 2.6 and later through 3.0.2
Proof of concept
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
March 2019 Security Advisories
Clean ascii escape sequence polluted response bodies processed by Gem::Commands::OwnerCommand#show_owners
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 20, 2019