REDHAT-BUG-1692520
First published: Mon Mar 25 2019(Updated: )
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. Upstream patch: <a href="https://bugs.ruby-lang.org/attachments/7669">https://bugs.ruby-lang.org/attachments/7669</a> References: <a href="https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/">https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/</a> <a href="https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html">https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| RubyGems | >=2.6<=3.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.ruby-lang.org/attachments/7669
- https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
- https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1692530
- https://github.com/rubygems/rubygems/commit/00ff3037a577889bd1e555966d9e0d17bea8d28d
- https://github.com/rubygems/rubygems/commit/be3ad330cd1d7403389a3cc53a68b95a0a2b6491
- https://access.redhat.com/errata/RHSA-2019:1148
- https://access.redhat.com/errata/RHSA-2019:1150
- https://access.redhat.com/errata/RHSA-2019:1151
- https://access.redhat.com/errata/RHSA-2019:1235
- https://access.redhat.com/errata/RHSA-2019:1429
- https://access.redhat.com/security/cve/cve-2019-8324
- https://access.redhat.com/errata/RHSA-2019:1972
- https://access.redhat.com/errata/RHSA-2020:2769
- https://bugzilla.redhat.com/show_bug.cgi?id=1692520
Frequently Asked Questions
What is the severity of REDHAT-BUG-1692520?
The severity of REDHAT-BUG-1692520 is considered critical due to the potential for arbitrary code execution.
How do I fix REDHAT-BUG-1692520?
To fix REDHAT-BUG-1692520, upgrade RubyGems to a version higher than 3.0.2, where the vulnerability has been patched.
Which versions of RubyGems are affected by REDHAT-BUG-1692520?
RubyGems versions from 2.6 to 3.0.2 are affected by the vulnerability defined in REDHAT-BUG-1692520.
Can REDHAT-BUG-1692520 be exploited remotely?
Yes, REDHAT-BUG-1692520 can potentially be exploited remotely through the installation of a malicious gem.
What are the consequences of an exploit for REDHAT-BUG-1692520?
Exploiting REDHAT-BUG-1692520 allows an attacker to execute arbitrary code on the victim's system, leading to potential data breaches and system compromise.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-8324
- agent/source
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/rubygems
- canonical/rubygems