{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-16T14:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/315087"}, {"name": "openSUSE-SU-2019:1771", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-8322", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/315087", "refsource": "MISC", "url": "https://hackerone.com/reports/315087"}, {"name": "openSUSE-SU-2019:1771", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:17:30.583Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/315087"}, {"name": "openSUSE-SU-2019:1771", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-8322", "datePublished": "2019-06-17T19:02:14", "dateReserved": "2019-02-13T00:00:00", "dateUpdated": "2024-08-04T21:17:30.583Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA6AD511-0C15-4FC9-B28D-7FD3471A4B26", "versionEndIncluding": "3.0.2", "versionStartIncluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur."}, {"lang": "es", "value": "Se descubri\u00f3 un error en RubyGems 2.6 y mucho m\u00e1s tarde hasta 3.0.2 El comando de propietario de gemas env\u00eda el contenido de la respuesta de la API directamente a la salida est\u00e1ndar. Por lo tanto, si la respuesta es elaborada, puede ocurrir una inyecci\u00f3n de secuencia de escape."}], "id": "CVE-2019-8322", "lastModified": "2024-11-21T04:49:41.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-17T20:15:10.353", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"source": "cve@mitre.org", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/315087"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/315087"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-0:5.10.5.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-amazon-smartstate-0:5.10.5.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-appliance-0:5.10.5.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-gemset-0:5.10.5.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ruby-0:2.4.6-91.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1235", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "ruby-0:2.0.0.648-35.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-05-15T00:00:00Z"}, {"advisory": "RHSA-2020:2769", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "ruby-0:2.0.0.648-37.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-06-30T00:00:00Z"}, {"advisory": "RHSA-2020:2769", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "ruby-0:2.0.0.648-37.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-06-30T00:00:00Z"}, {"advisory": "RHSA-2020:2769", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "ruby-0:2.0.0.648-37.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-06-30T00:00:00Z"}, {"advisory": "RHBA-2019:3384", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.5-8010020190711131821.cdc1202b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby24-ruby-0:2.4.6-92.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1148", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.5-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.6-92.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1148", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.5-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.6-92.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1148", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.5-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.6-92.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1148", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.5-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.6-92.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-13T00:00:00Z"}], "bugzilla": {"description": "rubygems: Escape sequence injection vulnerability in gem owner", "id": "1692516", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1692516"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-88", "details": ["An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur."], "name": "CVE-2019-8322", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "rubygems", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Fix deferred", "package_name": "rh-ruby23-ruby", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-ruby26-ruby", "product_name": "Red Hat Software Collections"}], "public_date": "2019-03-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-8322\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-8322"], "threat_severity": "Low"}