CVE-2019-8322

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

Published: Jun 17, 2019
Updated: May 9, 2024
CVE: CVE-2019-8322
GHSA: GHSA-mh37-8c3g-3fgc
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
rubygems / rubygems	2.6.0	3.0.2.x
debian / debian_linux	9.0	9.0.x
opensuse / leap	15.0	15.0.x
opensuse / leap	15.1	15.1.x
rubygems-update	2.6.0	2.7.9
rubygems-update	3.0.0	3.0.2

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
https://hackerone.com/reports/315087
https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html

Vulnerability Database

289,697

CVE-2019-8322