CVE-2019-8320
Summary
| CVE | CVE-2019-8320 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-06-06 15:29:00 UTC |
| Updated | 2020-08-16 15:15:00 UTC |
| Description | A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system. |
Risk And Classification
Problem Types: CWE-22
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] [DLA 2330-1] jruby security update | MLIST | lists.debian.org | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| March 2019 Security Advisories - RubyGems Blog | CONFIRM | blog.rubygems.org | Vendor Advisory |
| [security-announce] openSUSE-SU-2019:1771-1: important: Security update | SUSE | lists.opensuse.org | |
| HackerOne | MISC | hackerone.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.