DEBIAN-CVE-2019-8320

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2019-8320

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-8320.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2019-8320

Upstream

CVE-2019-8320

Published

2019-06-06T15:29:01.420Z

Modified

2025-11-14T04:01:11.683607Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

References

https://security-tracker.debian.org/tracker/CVE-2019-8320

Affected packages

Debian:11

rubygems

Package

Name: rubygems
Purl: pkg:deb/debian/rubygems?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.0~rc.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-8320.json"

Debian:12

jruby

Package

Name: jruby
Purl: pkg:deb/debian/jruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.1.17.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-8320.json"

rubygems

Package

Name: rubygems
Purl: pkg:deb/debian/rubygems?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.0~rc.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-8320.json"

Debian:13

jruby

Package

Name: jruby
Purl: pkg:deb/debian/jruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.1.17.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-8320.json"

rubygems

Package

Name: rubygems
Purl: pkg:deb/debian/rubygems?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.0~rc.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-8320.json"

Debian:14

jruby

Package

Name: jruby
Purl: pkg:deb/debian/jruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.1.17.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-8320.json"

rubygems

Package

Name: rubygems
Purl: pkg:deb/debian/rubygems?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.0~rc.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-8320.json"