CVE-2019-8324

Name
CVE-2019-8324
Description
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Permissions Required https://hackerone.com/reports/328571
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1972
Mailing List https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:* rubygems >= 2.6.0 <= 3.0.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status