MidnightBSD

Advisories for rubygems

CVE-2013-0269 HIGH

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
rubygems json_gem 1.5.4
rubygems json_gem 1.6.4
rubygems json_gem 1.6.1
rubygems json_gem 1.6.3
rubygems json_gem 1.7.0
rubygems json_gem 1.7.2
rubygems json_gem 1.7.6
rubygems json_gem 1.6.7
rubygems json_gem 1.7.5
rubygems json_gem 1.5.3
rubygems json_gem 1.7.4
rubygems json_gem 1.7.1
rubygems json_gem 1.6.0
rubygems json_gem 1.5.0
rubygems json_gem 1.6.6
rubygems json_gem 1.6.5
rubygems json_gem 1.5.1
rubygems json_gem 1.6.2
rubygems json_gem 1.7.3
rubygems json_gem 1.5.2
CVE-2013-1875 HIGH

command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
rubygems command_wrap -
CVE-2013-2615 HIGH

lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
rubygems fastreader 1.0.8
CVE-2013-2616 HIGH

lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
rubygems mini_magick 1.3.1
CVE-2013-4287 MEDIUM

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0
ruby-lang ruby 1.9.1
ruby-lang ruby 2.0.0
rubygems rubygems 1.8.4
rubygems rubygems 2.1.0
rubygems rubygems 2.0.0
rubygems rubygems 1.8.21
rubygems rubygems 1.8.11
rubygems rubygems 1.8.14
rubygems rubygems 1.8.17
rubygems rubygems 1.8.1
rubygems rubygems 1.8.16
rubygems rubygems 2.0.1
rubygems rubygems 1.8.22
rubygems rubygems 2.0.6
ruby-lang ruby 1.9
rubygems rubygems 1.8.5
rubygems rubygems 1.8.2
ruby-lang ruby 1.9.2
rubygems rubygems 1.8.13
rubygems rubygems 2.0.5
redhat enterprise_linux 6.0
rubygems rubygems 1.8.3
rubygems rubygems 1.8.20
rubygems rubygems 1.8.19
rubygems rubygems 1.8.9
rubygems rubygems 1.8.10
ruby-lang ruby 1.9.3
rubygems rubygems 1.8.15
rubygems rubygems 2.0.4
rubygems rubygems 1.8.8
rubygems rubygems *
rubygems rubygems 1.8.24
rubygems rubygems 1.8.25
rubygems rubygems 1.8.7
rubygems rubygems 1.8.12
rubygems rubygems 1.8.6
rubygems rubygems 1.8.0
rubygems rubygems 2.0.2
rubygems rubygems 2.0.3
rubygems rubygems 2.0.7
rubygems rubygems 1.8.18
CVE-2013-4363 MEDIUM

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0.0
rubygems rubygems 1.8.11
rubygems rubygems 1.8.14
rubygems rubygems 1.8.17
rubygems rubygems 1.8.16
rubygems rubygems 2.0.9
rubygems rubygems 2.0.1
rubygems rubygems 1.8.22
rubygems rubygems 2.1.2
rubygems rubygems 1.8.2
rubygems rubygems 1.8.13
rubygems rubygems 1.8.26
rubygems rubygems 2.0.5
rubygems rubygems 1.8.19
rubygems rubygems 1.8.15
rubygems rubygems 2.0.4
rubygems rubygems 1.8.8
rubygems rubygems *
rubygems rubygems 1.8.25
rubygems rubygems 1.8.7
rubygems rubygems 2.0.3
rubygems rubygems 2.0.8
rubygems rubygems 2.0.7
rubygems rubygems 2.1.4
ruby-lang ruby 2.0
ruby-lang ruby 1.9.1
rubygems rubygems 1.8.4
rubygems rubygems 2.1.0
rubygems rubygems 2.0.0
rubygems rubygems 1.8.21
rubygems rubygems 1.8.1
rubygems rubygems 2.0.6
ruby-lang ruby 1.9
rubygems rubygems 1.8.5
rubygems rubygems 2.1.1
ruby-lang ruby 1.9.2
rubygems rubygems 1.8.3
rubygems rubygems 1.8.20
rubygems rubygems 1.8.9
rubygems rubygems 1.8.10
ruby-lang ruby 1.9.3
rubygems rubygems 1.8.24
rubygems rubygems 1.8.12
rubygems rubygems 1.8.6
rubygems rubygems 1.8.0
rubygems rubygems 2.0.2
rubygems rubygems 1.8.18
rubygems rubygems 2.1.3
CVE-2015-3900 MEDIUM

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
oracle solaris 11.3
ruby-lang ruby 1.9.1
ruby-lang ruby 2.2.0
ruby-lang ruby 2.0.0
ruby-lang ruby 2.1.3
ruby-lang ruby 2.1.5
rubygems rubygems 2.0.0
rubygems rubygems 2.4.4
rubygems rubygems 2.4.6
ruby-lang ruby 2.1
rubygems rubygems 2.2.0
rubygems rubygems 2.0.13
rubygems rubygems 2.4.1
rubygems rubygems 2.0.15
rubygems rubygems 2.2.3
rubygems rubygems 2.0.9
ruby-lang ruby 2.1.1
rubygems rubygems 2.0.1
rubygems rubygems 2.0.6
ruby-lang ruby 1.9
rubygems rubygems 2.2.1
ruby-lang ruby 1.9.2
ruby-lang ruby 2.1.4
rubygems rubygems 2.0.14
rubygems rubygems 2.2.2
rubygems rubygems 2.0.5
redhat enterprise_linux 6.0
ruby-lang ruby 2.1.2
ruby-lang ruby 1.9.3
rubygems rubygems 2.0.11
rubygems rubygems 2.4.5
rubygems rubygems 2.0.4
rubygems rubygems 2.4.3
rubygems rubygems 2.4.0
rubygems rubygems 2.0.10
rubygems rubygems 2.0.2
rubygems rubygems 2.0.3
rubygems rubygems 2.0.8
redhat enterprise_linux 7.0
rubygems rubygems 2.0.7
rubygems rubygems 2.4.2
rubygems rubygems 2.0.12
CVE-2015-4020 MEDIUM

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
oracle solaris 11.3
rubygems rubygems 2.0.16
rubygems rubygems 2.0.0
rubygems rubygems 2.4.4
rubygems rubygems 2.4.6
rubygems rubygems 2.2.0
rubygems rubygems 2.0.13
rubygems rubygems 2.4.1
rubygems rubygems 2.0.15
rubygems rubygems 2.2.3
rubygems rubygems 2.0.9
rubygems rubygems 2.0.1
rubygems rubygems 2.0.6
rubygems rubygems 2.2.1
rubygems rubygems 2.2.4
rubygems rubygems 2.0.14
rubygems rubygems 2.2.2
rubygems rubygems 2.0.5
rubygems rubygems 2.0.11
rubygems rubygems 2.4.5
rubygems rubygems 2.0.4
rubygems rubygems 2.4.3
rubygems rubygems 2.4.0
rubygems rubygems 2.0.10
rubygems rubygems 2.0.2
rubygems rubygems 2.0.3
rubygems rubygems 2.0.8
rubygems rubygems 2.0.7
rubygems rubygems 2.4.2
rubygems rubygems 2.4.7
rubygems rubygems 2.0.12
CVE-2017-0899 HIGH

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-150,CWE-94,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server_eus 7.4
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.6
rubygems rubygems *
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.5
debian debian_linux 8.0
CVE-2017-0900 MEDIUM

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server_eus 7.4
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.6
rubygems rubygems *
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.5
debian debian_linux 8.0
CVE-2017-0901 MEDIUM

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server_eus 7.4
canonical ubuntu_linux 16.04
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.6
rubygems rubygems *
redhat enterprise_linux_server_eus 7.6
canonical ubuntu_linux 14.04
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 17.10
redhat enterprise_linux_server_eus 7.5
debian debian_linux 8.0
CVE-2017-0902 MEDIUM

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-350,CWE-346,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server_eus 7.4
canonical ubuntu_linux 16.04
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.6
rubygems rubygems *
redhat enterprise_linux_server_eus 7.6
canonical ubuntu_linux 14.04
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 17.10
redhat enterprise_linux_server_eus 7.5
debian debian_linux 8.0
CVE-2017-0903 HIGH

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
rubygems rubygems 2.1.7
rubygems rubygems 2.0.16
rubygems rubygems 2.2.0.preiew.1
rubygems rubygems 2.6.0
rubygems rubygems 2.4.4
rubygems rubygems 2.4.6
canonical ubuntu_linux 16.04
rubygems rubygems 2.2.0
debian debian_linux 9.0
rubygems rubygems 2.0.13
rubygems rubygems 2.4.1
rubygems rubygems 2.0.15
rubygems rubygems 2.2.3
rubygems rubygems 2.0.9
rubygems rubygems 2.0.1
rubygems rubygems 2.1.6
rubygems rubygems 2.1.2
rubygems rubygems 2.4.8
canonical ubuntu_linux 14.04
redhat enterprise_linux_workstation 7.0
rubygems rubygems 2.6.11
rubygems rubygems 2.1.0.rc.2
rubygems rubygems 2.3.0
rubygems rubygems 2.6.3
rubygems rubygems 2.2.4
rubygems rubygems 2.2.0.rc.1
rubygems rubygems 2.1.11
rubygems rubygems 2.0.14
redhat enterprise_linux_server_tus 7.4
rubygems rubygems 2.0.5
rubygems rubygems 2.6.1
redhat enterprise_linux_server_eus 7.4
rubygems rubygems 2.6.9
rubygems rubygems 2.0.11
rubygems rubygems 2.1.5
rubygems rubygems 2.5.2
rubygems rubygems 2.4.5
rubygems rubygems 2.0.4
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_eus 7.6
rubygems rubygems 2.0.17
rubygems rubygems 2.0.10
rubygems rubygems 2.2.5
canonical ubuntu_linux 17.10
rubygems rubygems 2.0.3
rubygems rubygems 2.0.8
rubygems rubygems 2.0.7
rubygems rubygems 2.1.0.rc.1
rubygems rubygems 2.0.12
rubygems rubygems 2.6.4
rubygems rubygems 2.1.4
rubygems rubygems 2.1.0
rubygems rubygems 2.0.0
rubygems rubygems 2.1.9
rubygems rubygems 2.6.13
rubygems rubygems 2.0.6
rubygems rubygems 2.6.10
rubygems rubygems 2.2.1
rubygems rubygems 2.1.1
rubygems rubygems 2.6.8
rubygems rubygems 2.5.0
redhat enterprise_linux_server_eus 7.5
rubygems rubygems 2.2.2
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 7.0
rubygems rubygems 2.6.12
rubygems rubygems 2.6.2
rubygems rubygems 2.6.7
rubygems rubygems 2.4.3
rubygems rubygems 2.4.0
rubygems rubygems 2.5.1
rubygems rubygems 2.1.8
rubygems rubygems 2.6.5
rubygems rubygems 2.6.6
rubygems rubygems 2.1.10
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
rubygems rubygems 2.0.2
rubygems rubygems 2.4.2
rubygems rubygems 2.4.7
debian debian_linux 8.0
rubygems rubygems 2.1.3
CVE-2018-1000073 MEDIUM

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
rubygems rubygems *
CVE-2018-1000074 MEDIUM

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
rubygems rubygems *
CVE-2018-1000075 MEDIUM

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
debian debian_linux 7.0
rubygems rubygems *
CVE-2018-1000076 HIGH

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-347,

Products Affected

Vendor Product Version
debian debian_linux 7.0
rubygems rubygems *
CVE-2018-1000077 MEDIUM

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 7.0
rubygems rubygems *
CVE-2018-1000078 MEDIUM

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 7.0
rubygems rubygems *
CVE-2018-1000079 MEDIUM

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
rubygems rubygems *
CVE-2019-8320 HIGH

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
rubygems rubygems *
CVE-2019-8321 MEDIUM

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-88,

Products Affected

Vendor Product Version
opensuse leap 15.1
opensuse leap 15.0
debian debian_linux 9.0
rubygems rubygems *
CVE-2019-8322 MEDIUM

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
opensuse leap 15.1
opensuse leap 15.0
debian debian_linux 9.0
rubygems rubygems *
CVE-2019-8323 MEDIUM

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
opensuse leap 15.1
opensuse leap 15.0
debian debian_linux 9.0
rubygems rubygems *
CVE-2019-8324 MEDIUM

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
opensuse leap 15.1
opensuse leap 15.0
redhat enterprise_linux 8.0
debian debian_linux 9.0
rubygems rubygems *
CVE-2019-8325 MEDIUM

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
opensuse leap 15.1
opensuse leap 15.0
debian debian_linux 9.0
rubygems rubygems *
CVE-2022-29176 MEDIUM

Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes in its name creation within 30 days OR no updates for over 100 days At present, we believe this vulnerability has not been exploited. RubyGems.org sends an email to all gem owners when a gem version is published or yanked. We have not received any support emails from gem owners indicating that their gem has been yanked without authorization. An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete. Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit. To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability. RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,CWE-863,

Products Affected

Vendor Product Version
rubygems rubygems.org -
CVE-2022-29218 MEDIUM

RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily replaced in the CDN cache by a malicious package. The bug has been patched, and is believed to have never been exploited, based on an extensive review of logs and existing gems by rubygems. The easiest way to ensure that an application has not been exploited by this vulnerability is to verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database. RubyGems.org has been patched and is no longer vulnerable to this issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-290,CWE-863,

Products Affected

Vendor Product Version
rubygems rubygems.org -
CVE-2022-36073

RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. Having access to an account whose email has been changed could enable an attacker to save API keys for that account, and when a legitimate user attempts to create an account with their email (and has to reset password to gain access) and is granted access to other gems, the attacker would then be able to publish and yank versions of those gems. Commit number 90c9e6aac2d91518b479c51d48275c57de492d4d contains a patch for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
security-advisories@github.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
rubygems rubygems *
CVE-2023-40165

rubygems.org is the Ruby community's primary gem (library) hosting service. Insufficient input validation allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching `/-\d/`, permanently replacing the legitimate upload in the canonical gem storage bucket, and triggering an immediate CDN purge so that the malicious gem would be served immediately. The maintainers have checked all gems matching the `/-\d/` pattern and can confirm that no unexpected `.gem`s were found. As a result, we believe this vulnerability was _not_ exploited. The easiest way to ensure that a user's applications were not exploited by this vulnerability is to check that all of your downloaded .gems have a checksum that matches the checksum recorded in the RubyGems.org database. RubyGems contributor Maciej Mensfeld wrote a tool to automatically check that all downloaded .gem files match the checksums recorded in the RubyGems.org database. You can use it by running: `bundle add bundler-integrity` followed by `bundle exec bundler-integrity`. Neither this tool nor anything else can prove you were not exploited, but the can assist your investigation by quickly comparing RubyGems API-provided checksums with the checksums of files on your disk. The issue has been patched with improved input validation and the changes are live. No action is required on the part of the user. Users are advised to validate their local gems.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N 2.8 4.0
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
rubygems rubygems.org *
CVE-2024-21654

Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security-advisories@github.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

Products Affected

Vendor Product Version
rubygems rubygems.org *