Allele Security Alert
ASA-2019-00360
Identifier(s)
ASA-2019-00360, CVE-2019-8323
Title
Escape sequence injection vulnerability in API response handling
Vendor(s)
RubyGems.org
Product(s)
RubyGems
Affected version(s)
RubyGems 2.6 and later through 3.0.2
Fixed version(s)
RubyGems 3.0.3
RubyGems 2.7.8
Proof of concept
Unknown
Description
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
Technical details
Unknown
Credits
ooooooo_q
Reference(s)
March 2019 Security Advisories
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
Clean ascii escape sequence polluted response bodies processed by Gem::GemcutterUtilities#with_response
https://github.com/rubygems/rubygems/commit/671429574406ca03f8fb9574a1bca6f6f3c6c93c
ruby-2.4.5-rubygems-v2.patch
https://bugs.ruby-lang.org/attachments/7669
CVE-2019-8323
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323
CVE-2019-8323
https://nvd.nist.gov/vuln/detail/CVE-2019-8323
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 20, 2019