Fluid Attacks Database

Description

Code injection in RubyGems An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	jruby	>=0 <9.1.17.0-3	9.1.17.0-3
debian 13	jruby	>=0 <9.1.17.0-3	9.1.17.0-3
alpine v3.7	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| =2.4.2-r0 \|\| =2.4.2-r1 \|\| =2.4.3-r0 \|\| =2.4.4-r0 \|\| =2.4.5-r0 \|\| >=0 <2.4.6-r0	2.4.6-r0
debian 12	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
alpine v3.6	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.2-r0 \|\| =2.4.3-r0 \|\| =2.4.4-r0 \|\| =2.4.5-r0 \|\| >=0 <2.4.6-r0	2.4.6-r0
alpine v3.9	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| =2.4.2-r0 \|\| =2.4.2-r1 \|\| =2.4.3-r0 \|\| =2.5.0-r0 \|\| =2.5.0-r1 \|\| =2.5.1-r0 \|\| =2.5.1-r1 \|\| =2.5.1-r2 \|\| =2.5.2-r0 \|\| =2.5.3-r0 \|\| =2.5.3-r1 \|\| >=0 <2.5.5-r0	2.5.5-r0
debian 14	jruby	>=0 <9.1.17.0-3	9.1.17.0-3
rubygems	rubygems-update	>=2.6.0 <2.7.9 \|\| >=3.0.0 <3.0.2	2.7.9, 3.0.2
alpine v3.8	ruby	=1.8.7_p160-r2 \|\| =1.8.7_p160-r3 \|\| =1.8.7_p174-r0 \|\| =1.8.7_p174-r1 \|\| =1.8.7_p174-r2 \|\| =1.8.7_p174-r3 \|\| =1.8.7_p174-r4 \|\| =1.8.7_p174-r6 \|\| =1.8.7_p174-r7 \|\| =1.8.7_p299-r0 \|\| =1.8.7_p299-r1 \|\| =1.8.7_p299-r2 \|\| =1.8.7_p352-r0 \|\| =1.8.7_p352-r1 \|\| =1.8.7_p358-r1 \|\| =1.8.7_p72-r1 \|\| =1.8.7_p72-r2 \|\| =1.9.3_p194-r0 \|\| =1.9.3_p286-r0 \|\| =1.9.3_p286-r1 \|\| =1.9.3_p286-r2 \|\| =1.9.3_p327-r0 \|\| =1.9.3_p362-r0 \|\| =1.9.3_p374-r0 \|\| =1.9.3_p385-r0 \|\| =1.9.3_p392-r0 \|\| =2.0.0_p0-r0 \|\| =2.0.0_p0-r1 \|\| =2.0.0_p195-r0 \|\| =2.0.0_p247-r0 \|\| =2.0.0_p247-r1 \|\| =2.0.0_p247-r2 \|\| =2.0.0_p247-r3 \|\| =2.0.0_p353-r0 \|\| =2.0.0_p353-r1 \|\| =2.0.0_p353-r2 \|\| =2.0.0_p481-r0 \|\| =2.1.5-r0 \|\| =2.1.5-r1 \|\| =2.2.1-r0 \|\| =2.2.2-r0 \|\| =2.2.2-r1 \|\| =2.2.3-r0 \|\| =2.2.3-r1 \|\| =2.2.4-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.3.1-r2 \|\| =2.3.2-r0 \|\| =2.3.3-r0 \|\| =2.3.3-r1 \|\| =2.3.3-r2 \|\| =2.3.3-r3 \|\| =2.4.0-r3 \|\| =2.4.1-r1 \|\| =2.4.1-r2 \|\| =2.4.1-r3 \|\| =2.4.1-r4 \|\| =2.4.1-r5 \|\| =2.4.2-r0 \|\| =2.4.2-r1 \|\| =2.4.3-r0 \|\| =2.5.0-r0 \|\| =2.5.0-r1 \|\| =2.5.1-r0 \|\| =2.5.1-r1 \|\| =2.5.1-r2 \|\| =2.5.2-r0 \|\| >=0 <2.5.5-r0	2.5.5-r0
debian 11	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1

1-10 of 14

Aliases

1. CVE-2019-83242. NVD-2019-83243. OSV-DEBIAN-2019-83244. OSV-2019-83245. OSV-ALPINE-2019-83246. GCVE-2019-83247. SECURITY-TRACKER-CVE-2019-83248. SECURITY-CVE-2019-83249. access.redhat.com10. lists.debian.org

References

1. https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html2. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2019-8324.yml3. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html