Arbitrary Code Injection Affecting ruby2.5-devel-extra package, versions <2.5.5-4.3.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES150-RUBY25DEVELEXTRA-2748829
- published 14 Apr 2022
- disclosed 10 Jul 2019
Introduced: 10 Jul 2019
CVE-2019-8324 Open this link in a new tabHow to fix?
Upgrade SLES:15.0 ruby2.5-devel-extra to version 2.5.5-4.3.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ruby2.5-devel-extra package and not the ruby2.5-devel-extra package as distributed by SLES.
See How to fix? for SLES:15.0 relevant fixed versions and status.
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
References
- https://www.suse.com/security/cve/CVE-2019-8324.html
- https://bugzilla.suse.com/1130617
- https://hackerone.com/reports/328571
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- https://access.redhat.com/errata/RHSA-2019:1972
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html