RubyGems updated due to some vulnerabilities

RubyGems updated due to some vulnerabilities
Average rating: 0
(0 votes)

As there are no perfect things in this world, there are multiple vulnerabilities in RubyGems bundled by Ruby, and we just shared with you the news about RubyGems 3.0.0 package manager release. But today here we are again with some news. Good ones! RubyGems updated due to some vulnerabilities, so we recommend you change it to the latest stable version.

There were several vulnerabilities, including one where a gem author could package a gem in such a way as to delete arbitrary directories, that were fixed in 3.0.3 and 2.7.9, so upgrade now. We present you some of the main updates:

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user’s machine, presuming the attacker could guess at paths.

CVE-2019-8321: ESCAPE SEQUENCE INJECTION VULNERABILITY IN verbose

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

CVE-2019-8325: ESCAPE SEQUENCE INJECTION VULNERABILITY IN ERRORS

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

Please find here the more complete description of all updates.

By the way, we collected 40 most used Ruby gems that can be very helpful for you. Don’t miss a chance to check them too.

Rate this article, if you like it

Thanks! You’ve rated this material!

Got a project? Let's discuss it!

*By submitting this form you agree with our Privacy Policy.

Mailing & Legal Address

Syndicode Inc. 340 S Lemon Ave #3299, Walnut CA, 91789, USA

Visiting & Headquarters address
Kyiv Sofiivska 1/2a, 01001, Kyiv, Ukraine
Dnipro Hlinky 2, of. 1003, 49000, Dnipro, Ukraine
Email info@syndicode.com
Phone (+1) 9035021111