CVE-2019-8322

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

Database specific

{
    "unresolved_ranges": [
        {
            "cpe": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "15.0"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "15.1"
                }
            ]
        }
    ]
}

References

Affected packages

Git / github.com/ruby/rubygems

Affected ranges

Type

GIT

Repo

https://github.com/ruby/rubygems

Events

Introduced

4bfc34cb00f3be715d811bf9106e01a4893fbf92

Last affected

d5ddf07a88a89c34339b268533de594990f7170b

Database specific

{
    "cpe": "cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "2.6.0"
        },
        {
            "last_affected": "3.0.2"
        }
    ]
}

Affected versions

v2.*

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v3.*

v3.0.0

v3.0.0.beta1

v3.0.0.beta3

v3.0.1

v3.0.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-8322.json"