1. Home
  2. Vulnerabilities
  3. CVE-2019-8320

CVE-2019-8320

CVSS v3.0 7.4 (High)
74% Progress
CVSS v2.0 8.8 (High)
88% Progress
EPSS 0.60 % (79th)
0.60% Progress
Affected Products 1
Advisories 14
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

Weaknesses
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2019-06-06 15:29:01
(5 years ago)
Updated Date
2020-08-16 15:15:13
(4 years ago)

Affected Products

Rubygems

Configuration #1

    CPE23 From Up To
  Rubygems from 2.7.6 version and 3.0.2 and prior versions cpe:2.3:a:rubygems:rubygems >= 2.7.6 <= 3.0.2