CVE-2019-8323
Public on 2019-06-17
Modified on 2019-08-12
Description
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | ruby | 2019-07-18 | ALAS2-2019-1249 | Fixed |
| Amazon Linux 1 | ruby20 | 2019-08-07 | ALAS-2019-1255 | Fixed |
| Amazon Linux 1 | ruby21 | 2019-08-07 | ALAS-2019-1255 | Fixed |
| Amazon Linux 1 | ruby24 | 2019-08-07 | ALAS-2019-1255 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |