CVE-2019-8322
Published: 27 March 2019
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
From the Ubuntu security team
It was discovered that the `gem owner`a command failed to sanitize the contents of the API response. An attacker could use this vulnerability inject escape sequences into a victim's terminal.
Priority
CVSS 3 base score: 7.5
Status
Package | Release | Status |
---|---|---|
jruby Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(9.1.17.0-3)
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(9.1.17.0-3)
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(code not present)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [1.9.3.484-2ubuntu1.14])
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [2.0.0.484-1ubuntu2.13])
|
|
ruby2.1 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(2.3.1-2~16.04.12)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
ruby2.5 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(2.5.1-1ubuntu1.2)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
Notes
Author | Note |
---|---|
tyhicks | ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322
- https://bugs.ruby-lang.org/attachments/7669 (for 2.4.5)
- https://bugs.ruby-lang.org/attachments/7670 (for 2.5.3)
- https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
- https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
- https://usn.ubuntu.com/usn/usn-3945-1
- NVD
- Launchpad
- Debian