CVE-2019-8323

Public on 2019-06-17

Modified on 2019-08-12

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

Severity

Low

See what this means

CVSS v3 Base Score

5.3

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	ruby	2019-07-18 18:14	ALAS2-2019-1249
Amazon Linux 1	ruby20	2019-08-07 22:58	ALAS-2019-1255
Amazon Linux 1	ruby21	2019-08-07 22:58	ALAS-2019-1255
Amazon Linux 1	ruby24	2019-08-07 22:58	ALAS-2019-1255

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Red Hat: CVE-2019-8323 Mitre: CVE-2019-8323 FAQs regarding Amazon Linux ALAS/CVE Severity