#VU20189 Code Injection in RubyGems - CVE-2019-8324
Published: August 13, 2019
Vulnerability identifier: #VU20189
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-8324
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
RubyGems
RubyGems
Software vendor:
Ruby
Ruby
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing multiple line entries within gems in ensure_loadable_spec(). A remote attacker can send a specially crafted gem, inject malicious code into stub line of gemspec and execute it code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.