{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-16T14:06:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/328571"}, {"name": "openSUSE-SU-2019:1771", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "RHSA-2019:1972", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1972"}, {"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-8324", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/328571", "refsource": "MISC", "url": "https://hackerone.com/reports/328571"}, {"name": "openSUSE-SU-2019:1771", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "RHSA-2019:1972", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1972"}, {"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:17:31.266Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/328571"}, {"name": "openSUSE-SU-2019:1771", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"name": "RHSA-2019:1972", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1972"}, {"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-8324", "datePublished": "2019-06-17T18:59:30", "dateReserved": "2019-02-13T00:00:00", "dateUpdated": "2024-08-04T21:17:31.266Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA6AD511-0C15-4FC9-B28D-7FD3471A4B26", "versionEndIncluding": "3.0.2", "versionStartIncluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check."}, {"lang": "es", "value": "Se descubri\u00f3 un error en RubyGems 2.6 y posteriormente hasta 3.0.2 Una gema hecha a mano con un nombre de varias l\u00edneas no se maneja correctamente. Por lo tanto, un atacante podr\u00eda inyectar un c\u00f3digo arbitrario a la l\u00ednea de c\u00f3digo auxiliar de gemspec, que se eval\u00faa mediante un c\u00f3digo en asegurar_loadable_spec durante la verificaci\u00f3n de preinstalaci\u00f3n."}], "id": "CVE-2019-8324", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-17T19:15:11.843", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1972"}, {"source": "cve@mitre.org", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/328571"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-0:5.10.5.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-amazon-smartstate-0:5.10.5.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-appliance-0:5.10.5.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-gemset-0:5.10.5.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1429", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ruby-0:2.4.6-91.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-06-11T00:00:00Z"}, {"advisory": "RHSA-2019:1235", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "ruby-0:2.0.0.648-35.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-05-15T00:00:00Z"}, {"advisory": "RHSA-2020:2769", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "ruby-0:2.0.0.648-37.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-06-30T00:00:00Z"}, {"advisory": "RHSA-2020:2769", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "ruby-0:2.0.0.648-37.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-06-30T00:00:00Z"}, {"advisory": "RHSA-2020:2769", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "ruby-0:2.0.0.648-37.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-06-30T00:00:00Z"}, {"advisory": "RHSA-2019:1972", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.5-8000020190524123348.55190bc5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-08-07T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby24-ruby-0:2.4.6-92.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1151", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-ruby23-ruby-0:2.3.8-70.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1148", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.5-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.6-92.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1151", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.8-70.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1148", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.5-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.6-92.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1151", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.8-70.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1148", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.5-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.6-92.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1151", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.8-70.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1148", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.5-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1150", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby24-ruby-0:2.4.6-92.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-13T00:00:00Z"}, {"advisory": "RHSA-2019:1151", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby23-ruby-0:2.3.8-70.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-13T00:00:00Z"}], "bugzilla": {"description": "rubygems: Installing a malicious gem may lead to arbitrary code execution", "id": "1692520", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1692520"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.", "A flaw was found in RubyGems. A crafted gem with a multi-line name is not handled correctly allowing an attacker to inject arbitrary code to the stub line of gemspec. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2019-8324", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "rubygems", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-ruby26-ruby", "product_name": "Red Hat Software Collections"}], "public_date": "2019-03-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-8324\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-8324\nhttps://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html\nhttps://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/"], "threat_severity": "Important"}