CVE-2019-8324: Code Injection
First published: Tue Mar 05 2019(Updated: )
A flaw was found in RubyGems. A crafted gem with a multi-line name is not handled correctly allowing an attacker to inject arbitrary code to the stub line of gemspec. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rubygems-update | >=3.0.0<3.0.2 | 3.0.2 |
| rubygems/rubygems-update | >=2.6.0<2.7.9 | 2.7.9 |
| redhat/cfme | <0:5.10.5.1-1.el7cf | 0:5.10.5.1-1.el7cf |
| redhat/cfme-amazon-smartstate | <0:5.10.5.1-1.el7cf | 0:5.10.5.1-1.el7cf |
| redhat/cfme-appliance | <0:5.10.5.1-1.el7cf | 0:5.10.5.1-1.el7cf |
| redhat/cfme-gemset | <0:5.10.5.1-1.el7cf | 0:5.10.5.1-1.el7cf |
| redhat/ruby | <0:2.4.6-91.el7cf | 0:2.4.6-91.el7cf |
| redhat/ruby | <0:2.0.0.648-35.el7_6 | 0:2.0.0.648-35.el7_6 |
| redhat/ruby | <0:2.0.0.648-37.el7_4 | 0:2.0.0.648-37.el7_4 |
| redhat/rh-ruby24-ruby | <0:2.4.6-92.el6 | 0:2.4.6-92.el6 |
| redhat/rh-ruby23-ruby | <0:2.3.8-70.el6 | 0:2.3.8-70.el6 |
| redhat/rh-ruby25-ruby | <0:2.5.5-7.el7 | 0:2.5.5-7.el7 |
| redhat/rh-ruby24-ruby | <0:2.4.6-92.el7 | 0:2.4.6-92.el7 |
| redhat/rh-ruby23-ruby | <0:2.3.8-70.el7 | 0:2.3.8-70.el7 |
| Rubygems Rubygems | >=2.6.0<=3.0.2 | |
| Debian Debian Linux | =9.0 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 | |
| Redhat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-8324
- https://access.redhat.com/errata/RHSA-2019:1972
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2019-8324.yml
- https://github.com/advisories/GHSA-76wm-422q-92mq (Advisory)
- https://hackerone.com/reports/328571
- https://bugs.ruby-lang.org/attachments/7669
- https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1692530
- https://github.com/rubygems/rubygems/commit/00ff3037a577889bd1e555966d9e0d17bea8d28d
- https://github.com/rubygems/rubygems/commit/be3ad330cd1d7403389a3cc53a68b95a0a2b6491
- https://access.redhat.com/errata/RHSA-2019:1148
- https://access.redhat.com/errata/RHSA-2019:1150
- https://access.redhat.com/errata/RHSA-2019:1151
- https://access.redhat.com/errata/RHSA-2019:1235
- https://access.redhat.com/errata/RHSA-2019:1429
- https://access.redhat.com/security/cve/cve-2019-8324
- https://access.redhat.com/errata/RHSA-2020:2769
- https://bugzilla.redhat.com/show_bug.cgi?id=1692520
- https://www.cve.org/CVERecord?id=CVE-2019-8324 https://nvd.nist.gov/vuln/detail/CVE-2019-8324 https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-8324?
CVE-2019-8324 is a vulnerability in RubyGems that allows an attacker to inject arbitrary code.
How does CVE-2019-8324 impact RubyGems?
CVE-2019-8324 impacts RubyGems by allowing an attacker to inject arbitrary code into a gem with a multi-line name.
What is the severity of CVE-2019-8324?
CVE-2019-8324 has a severity rating of 8.8, which is considered high.
Which versions of RubyGems are affected by CVE-2019-8324?
RubyGems versions 2.6 and later through 3.0.2 are affected by CVE-2019-8324.
Where can I find more information about CVE-2019-8324?
You can find more information about CVE-2019-8324 at the following references: [link1] [link2] [link3].
- collector/github-advisory-latest
- alias/GHSA-76wm-422q-92mq
- alias/CVE-2019-8324
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- agent/tags
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/rubygems
- package-manager/redhat
- vendor/rubygems
- canonical/rubygems rubygems
- version/rubygems rubygems/2.6.0
- version/rubygems rubygems/3.0.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0