Allele Security Alert
ASA-2019-00359
Identifier(s)
ASA-2019-00359, CVE-2019-8322
Title
Escape sequence injection vulnerability in gem owner
Vendor(s)
RubyGems.org
Product(s)
RubyGems
Affected version(s)
RubyGems 2.6 and later through 3.0.2
Fixed version(s)
RubyGems 3.0.3
RubyGems 2.7.8
Proof of concept
Unknown
Description
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
Technical details
Unknown
Credits
ooooooo_q
Reference(s)
March 2019 Security Advisories
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
Clean ascii escape sequence polluted response bodies processed by Gem::Commands::OwnerCommand#show_owners
https://github.com/rubygems/rubygems/commit/efed2ab38e165752f1efcc49a857882f40afd9cd
ruby-2.4.5-rubygems-v2.patch
https://bugs.ruby-lang.org/attachments/7669
CVE-2019-8322
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322
CVE-2019-8322
https://nvd.nist.gov/vuln/detail/CVE-2019-8322
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 20, 2019