CVE-2019-8322 — RubyGems Escape sequence injection vulnerability in gem owner

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

How to fix CVE-2019-8322

To remediate CVE-2019-8322, upgrade the affected package to a fixed version below.

Alpine/ruby—upgrade to 2.4.6-r0 or later
—upgrade to 9.1.17.0-3 or later
—upgrade to 3.2.0~rc.1-1 or later
—upgrade to 2.7.9 or later

Is CVE-2019-8322 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 2.4.6-r0
from 0, < 9.1.17.0-3
from 0, < 3.2.0~rc.1-1
>= 2.6.0, < 2.7.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-8322
ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-8322
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-8322
WEBlists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html