CVE-2019-8320

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-8320

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-8320.json

Aliases

GHSA-5x32-c9mf-49cc

Related

Published

2019-06-06T15:29:01Z

Modified

2023-11-29T07:40:39.557647Z

Details

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

References

Affected packages

Alpine:v3.6 / ruby

Package

Name: ruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.4.6-r0

Affected versions

1.*

1.8.7_p72-r1

1.8.7_p72-r2

1.8.7_p160-r2

1.8.7_p160-r3

1.8.7_p174-r0

1.8.7_p174-r1

1.8.7_p174-r2

1.8.7_p174-r3

1.8.7_p174-r4

1.8.7_p174-r6

1.8.7_p174-r7

1.8.7_p299-r0

1.8.7_p299-r1

1.8.7_p299-r2

1.8.7_p352-r0

1.8.7_p352-r1

1.8.7_p358-r1

1.9.3_p194-r0

1.9.3_p286-r0

1.9.3_p286-r1

1.9.3_p286-r2

1.9.3_p327-r0

1.9.3_p362-r0

1.9.3_p374-r0

1.9.3_p385-r0

1.9.3_p392-r0

2.*

2.0.0_p0-r0

2.0.0_p0-r1

2.0.0_p195-r0

2.0.0_p247-r0

2.0.0_p247-r1

2.0.0_p247-r2

2.0.0_p247-r3

2.0.0_p353-r0

2.0.0_p353-r1

2.0.0_p353-r2

2.0.0_p481-r0

2.1.5-r0

2.1.5-r1

2.2.1-r0

2.2.2-r0

2.2.2-r1

2.2.3-r0

2.2.3-r1

2.2.4-r0

2.3.1-r0

2.3.1-r1

2.3.1-r2

2.3.2-r0

2.3.3-r0

2.3.3-r1

2.3.3-r2

2.3.3-r3

2.4.0-r3

2.4.1-r3

2.4.2-r3

2.4.3-r3

2.4.4-r3

2.4.5-r3

Alpine:v3.7 / ruby

Package

Name: ruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.4.6-r0

Affected versions

1.*

1.8.7_p72-r1

1.8.7_p72-r2

1.8.7_p160-r2

1.8.7_p160-r3

1.8.7_p174-r0

1.8.7_p174-r1

1.8.7_p174-r2

1.8.7_p174-r3

1.8.7_p174-r4

1.8.7_p174-r6

1.8.7_p174-r7

1.8.7_p299-r0

1.8.7_p299-r1

1.8.7_p299-r2

1.8.7_p352-r0

1.8.7_p352-r1

1.8.7_p358-r1

1.9.3_p194-r0

1.9.3_p286-r0

1.9.3_p286-r1

1.9.3_p286-r2

1.9.3_p327-r0

1.9.3_p362-r0

1.9.3_p374-r0

1.9.3_p385-r0

1.9.3_p392-r0

2.*

2.0.0_p0-r0

2.0.0_p0-r1

2.0.0_p195-r0

2.0.0_p247-r0

2.0.0_p247-r1

2.0.0_p247-r2

2.0.0_p247-r3

2.0.0_p353-r0

2.0.0_p353-r1

2.0.0_p353-r2

2.0.0_p481-r0

2.1.5-r0

2.1.5-r1

2.2.1-r0

2.2.2-r0

2.2.2-r1

2.2.3-r0

2.2.3-r1

2.2.4-r0

2.3.1-r0

2.3.1-r1

2.3.1-r2

2.3.2-r0

2.3.3-r0

2.3.3-r1

2.3.3-r2

2.3.3-r3

2.4.0-r3

2.4.1-r3

2.4.2-r3

2.4.3-r3

2.4.4-r3

2.4.5-r3

Alpine:v3.8 / ruby

Package

Name: ruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.5.5-r0

Affected versions

1.*

1.8.7_p72-r1

1.8.7_p72-r2

1.8.7_p160-r2

1.8.7_p160-r3

1.8.7_p174-r0

1.8.7_p174-r1

1.8.7_p174-r2

1.8.7_p174-r3

1.8.7_p174-r4

1.8.7_p174-r6

1.8.7_p174-r7

1.8.7_p299-r0

1.8.7_p299-r1

1.8.7_p299-r2

1.8.7_p352-r0

1.8.7_p352-r1

1.8.7_p358-r1

1.9.3_p194-r0

1.9.3_p286-r0

1.9.3_p286-r1

1.9.3_p286-r2

1.9.3_p327-r0

1.9.3_p362-r0

1.9.3_p374-r0

1.9.3_p385-r0

1.9.3_p392-r0

2.*

2.0.0_p0-r0

2.0.0_p0-r1

2.0.0_p195-r0

2.0.0_p247-r0

2.0.0_p247-r1

2.0.0_p247-r2

2.0.0_p247-r3

2.0.0_p353-r0

2.0.0_p353-r1

2.0.0_p353-r2

2.0.0_p481-r0

2.1.5-r0

2.1.5-r1

2.2.1-r0

2.2.2-r0

2.2.2-r1

2.2.3-r0

2.2.3-r1

2.2.4-r0

2.3.1-r0

2.3.1-r1

2.3.1-r2

2.3.2-r0

2.3.3-r0

2.3.3-r1

2.3.3-r2

2.3.3-r3

2.4.0-r3

2.4.1-r3

2.4.2-r3

2.4.3-r3

2.5.0-r3

2.5.1-r3

2.5.2-r3

Alpine:v3.9 / ruby

Package

Name: ruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.5.5-r0

Affected versions

1.*

1.8.7_p72-r1

1.8.7_p72-r2

1.8.7_p160-r2

1.8.7_p160-r3

1.8.7_p174-r0

1.8.7_p174-r1

1.8.7_p174-r2

1.8.7_p174-r3

1.8.7_p174-r4

1.8.7_p174-r6

1.8.7_p174-r7

1.8.7_p299-r0

1.8.7_p299-r1

1.8.7_p299-r2

1.8.7_p352-r0

1.8.7_p352-r1

1.8.7_p358-r1

1.9.3_p194-r0

1.9.3_p286-r0

1.9.3_p286-r1

1.9.3_p286-r2

1.9.3_p327-r0

1.9.3_p362-r0

1.9.3_p374-r0

1.9.3_p385-r0

1.9.3_p392-r0

2.*

2.0.0_p0-r0

2.0.0_p0-r1

2.0.0_p195-r0

2.0.0_p247-r0

2.0.0_p247-r1

2.0.0_p247-r2

2.0.0_p247-r3

2.0.0_p353-r0

2.0.0_p353-r1

2.0.0_p353-r2

2.0.0_p481-r0

2.1.5-r0

2.1.5-r1

2.2.1-r0

2.2.2-r0

2.2.2-r1

2.2.3-r0

2.2.3-r1

2.2.4-r0

2.3.1-r0

2.3.1-r1

2.3.1-r2

2.3.2-r0

2.3.3-r0

2.3.3-r1

2.3.3-r2

2.3.3-r3

2.4.0-r3

2.4.1-r3

2.4.2-r3

2.4.3-r3

2.5.0-r3

2.5.1-r3

2.5.2-r3

2.5.3-r3

Git / github.com/rubygems/rubygems

Affected ranges

Type: GIT
Repo: https://github.com/rubygems/rubygems
Events: Introduced

5971b486d4dbb2bad5d3445b3801c456eb0ce183

Last affected

d5ddf07a88a89c34339b268533de594990f7170b

Affected versions

v2.*

v2.7.6

v2.7.7

v2.7.8

v3.*

v3.0.0

v3.0.0.beta1

v3.0.0.beta3

v3.0.1

v3.0.2