RubyGems Escape sequence injection vulnerability in verbose · CVE-2019-8321 · GitHub Advisory Database · GitHub

RubyGems Escape sequence injection vulnerability in verbose

High severity GitHub Reviewed Published Jun 20, 2019 to the GitHub Advisory Database • Updated Aug 28, 2023

Package

rubygems-update (RubyGems)

Affected versions

>= 2.6.0, < 2.7.9

>= 3.0.0, < 3.0.2

Patched versions

2.7.9

3.0.2

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

References

Reviewed Jun 20, 2019

Published to the GitHub Advisory Database Jun 20, 2019

Last updated Aug 28, 2023

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N