CVE-2019-8322

Public on 2019-06-17

Modified on 2019-08-12

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

Severity

Low

See what this means

CVSS v3 Base Score

5.3

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	ruby	2019-07-18 18:14	ALAS2-2019-1249
Amazon Linux 1	ruby20	2019-08-07 22:58	ALAS-2019-1255
Amazon Linux 1	ruby21	2019-08-07 22:58	ALAS-2019-1255
Amazon Linux 1	ruby24	2019-08-07 22:58	ALAS-2019-1255

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Red Hat: CVE-2019-8322 Mitre: CVE-2019-8322 FAQs regarding Amazon Linux ALAS/CVE Severity