CVE-2019-8320: Path Traversal
First published: Mon Mar 25 2019(Updated: )
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rubygems-update | >=3.0.0<3.0.3 | 3.0.3 |
| rubygems/rubygems-update | >=2.7.6<2.7.9 | 2.7.9 |
| Rubygems Rubygems | >=2.7.6<=3.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-8320
- https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
- https://hackerone.com/reports/317321
- https://access.redhat.com/errata/RHSA-2019:1429
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2019-8320.yml
- https://github.com/advisories/GHSA-5x32-c9mf-49cc (Advisory)
- https://bugs.ruby-lang.org/attachments/7669
- https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1692530
- https://github.com/rubygems/rubygems/pull/2722
- https://access.redhat.com/errata/RHSA-2019:1148
- https://access.redhat.com/errata/RHSA-2019:1150
- https://bugzilla.redhat.com/show_bug.cgi?id=1692512
Frequently Asked Questions
What is CVE-2019-8320?
CVE-2019-8320 is a Directory Traversal vulnerability discovered in RubyGems 2.7.6 through 3.0.2.
How severe is CVE-2019-8320?
CVE-2019-8320 has a severity of 7.4 (High).
How does CVE-2019-8320 affect RubyGems?
CVE-2019-8320 affects RubyGems versions 2.7.6 through 3.0.2.
What is the remedy for CVE-2019-8320 in RubyGems?
The remedy for CVE-2019-8320 in RubyGems is to upgrade to version 3.0.3.
Where can I find more information about CVE-2019-8320?
You can find more information about CVE-2019-8320 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-8320), [RubyGems Blog](https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html), [HackerOne Report](https://hackerone.com/reports/317321).
- collector/github-advisory-latest
- alias/GHSA-5x32-c9mf-49cc
- alias/CVE-2019-8320
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- agent/event
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- package-manager/rubygems
- vendor/rubygems
- canonical/rubygems rubygems
- version/rubygems rubygems/2.7.6
- version/rubygems rubygems/3.0.2