GHSA-mh37-8c3g-3fgc

Suggest an improvement
Source
https://github.com/advisories/GHSA-mh37-8c3g-3fgc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-mh37-8c3g-3fgc/GHSA-mh37-8c3g-3fgc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mh37-8c3g-3fgc
Aliases
Published
2019-06-20T16:06:00Z
Modified
2024-02-16T08:10:36.717536Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
RubyGems Escape sequence injection vulnerability in gem owner
Details

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

Database specific
{
    "nvd_published_at": "2019-06-17T20:15:10Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-20T16:00:00Z"
}
References

Affected packages

RubyGems / rubygems-update

Package

Name
rubygems-update
Purl
pkg:gem/rubygems-update

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.0
Fixed
2.7.9

Affected versions

2.*

2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4.pre1
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8

RubyGems / rubygems-update

Package

Name
rubygems-update
Purl
pkg:gem/rubygems-update

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.2

Affected versions

3.*

3.0.0
3.0.1