FreeBSD : RubyGems -- multiple vulnerabilities (27b12d04-4722-11e9-8b7c-b5e01141761f)

high Nessus Plugin ID 122883

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

RubyGems Security Advisories :

CVE-2019-8320: Delete directory using symlink when decompressing tar

CVE-2019-8321: Escape sequence injection vulnerability in 'verbose'

CVE-2019-8322: Escape sequence injection vulnerability in 'gem owner'

CVE-2019-8323: Escape sequence injection vulnerability in API response handling

CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution

CVE-2019-8325: Escape sequence injection vulnerability in errors

Solution

Update the affected packages.

See Also

https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

https://github.com/rubygems/rubygems/blob/master/History.txt

http://www.nessus.org/u?430f1e1b

Plugin Details

Severity: High

ID: 122883

File Name: freebsd_pkg_27b12d04472211e98b7cb5e01141761f.nasl

Version: 1.6

Type: local

Published: 3/18/2019

Updated: 6/13/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 8.8

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:C/A:C

CVSS Score Source: CVE-2019-8320

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-8324

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ruby23-gems, p-cpe:/a:freebsd:freebsd:ruby24-gems, p-cpe:/a:freebsd:freebsd:ruby25-gems, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/15/2019

Vulnerability Publication Date: 3/5/2019

Reference Information

CVE: CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325