CVE-2019-8322
Public on 2019-06-17
Modified on 2019-08-12
Description
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | ruby | 2019-07-18 | ALAS2-2019-1249 | Fixed |
| Amazon Linux 1 | ruby20 | 2019-08-07 | ALAS-2019-1255 | Fixed |
| Amazon Linux 1 | ruby21 | 2019-08-07 | ALAS-2019-1255 | Fixed |
| Amazon Linux 1 | ruby24 | 2019-08-07 | ALAS-2019-1255 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |