rubygems-update 2.7.0
RubyGems Improper Verification of Cryptographic Signature vulnerability
critical severity CVE-2018-1000076>= 2.7.6
< 2.2.0
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic Signature vulnerability in package.rb. This can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. This vulnerability has been fixed in 2.7.6.
Escape sequence injection vulnerability in errors
high severity CVE-2019-8325>= 3.0.3, ~> 2.7.9
< 2.6
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
Installing a malicious gem may lead to arbitrary code execution
high severity CVE-2019-8324>= 3.0.3, ~> 2.7.9
< 2.6
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
Escape sequence injection vulnerability in api response handling
high severity CVE-2019-8323>= 3.0.3, ~> 2.7.9
< 2.6
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
Escape sequence injection vulnerability in gem owner
high severity CVE-2019-8322~> 2.7.9, >= 3.0.3
< 2.6
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
Escape sequence injection vulnerability in verbose
high severity CVE-2019-8321>= 3.0.3, ~> 2.7.9
< 2.6
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.
RubyGems Infinite Loop vulnerability
high severity CVE-2018-1000075>= 2.7.6
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
RubyGems Deserialization of Untrusted Data vulnerability
high severity CVE-2018-1000074>= 2.7.6
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data
vulnerability in owner command that can result in code execution. This attack requires
the victim to run the gem owner command on a gem with a specially crafted YAML
file. This vulnerability is fixed in 2.7.6.
RubyGems Link Following vulnerability
high severity CVE-2018-1000073>= 2.7.6
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability
in install_location function of package.rb that can result in path traversal
when writing to a symlinked basedir outside of the root. This vulnerability appears
to have been fixed in 2.7.6.
RubyGems Path Traversal vulnerability
medium severity CVE-2018-1000079>= 2.7.6
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem writing to arbitrary filesystem locations during installation. This attack appears to be exploitable via installation of a malicious gem. This vulnerability is fixed in 2.7.6.
RubyGems Cross-site Scripting vulnerability
medium severity CVE-2018-1000078>= 2.7.6
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack requires the victim to browse to a malicious gem on a vulnerable gem server. This vulnerability is fixed in 2.7.6.
RubyGems Improper Input Validation vulnerability
medium severity CVE-2018-1000077>= 2.7.6
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem setting an invalid homepage URL. This vulnerability is fixed in 2.7.6.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.