[RUBYSEC:RUBYGEMS-UPDATE-2019-8323] Escape sequence injection vulnerability in api response handling

Severity High

Affected Packages 2

Unaffected Packages 1

Fixed Packages 2

CVEs 1

An issue was discovered in RubyGems 2.6 and later through 3.0.2.
Gem::GemcutterUtilities#with_response may output the API response to stdout
as it is. Therefore, if the API side modifies the response, escape sequence
injection may occur.

Package	Affected Version
pkg:gem/rubygems-update	< 3.0.3
pkg:gem/rubygems-update	= 2.6

Package	Unaffected Version
pkg:gem/rubygems-update	< 2.6

Package	Fixed Version
pkg:gem/rubygems-update	>= 3.0.3
pkg:gem/rubygems-update	= 2.7.9

ID

RUBYSEC:RUBYGEMS-UPDATE-2019-8323

Severity

high

URL

https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

Published

2019-03-05T00:00:00
(5 years ago)

Modified

2023-05-03T23:49:55
(16 months ago)

Rights

RubySec Security Team

Other Advisories

Source	# ID	Name	URL
Security Advisory	GHSA-3h4r-pjv6-cph9		https://github.com/advisories/GHSA-3h4r-pjv6-cph9

Type	Package URL	Name / Product	Version
Fixed	pkg:gem/rubygems-update	rubygems-update	>= 3.0.3
Affected	pkg:gem/rubygems-update	rubygems-update	< 3.0.3
Fixed	pkg:gem/rubygems-update	rubygems-update	= 2.7.9
Unaffected	pkg:gem/rubygems-update	rubygems-update	< 2.6
Affected	pkg:gem/rubygems-update	rubygems-update	= 2.6

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date