Allele Security Alert
Escape sequence injection vulnerability in API response handling
RubyGems 2.6 and later through 3.0.2
Proof of concept
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
March 2019 Security Advisories
Clean ascii escape sequence polluted response bodies processed by Gem::GemcutterUtilities#with_response
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 20, 2019