CVE-2019-8320
Description
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the users machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
Risk Information
Base Score
7.4
MODERATE
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score
Exploitation Probability
8.473
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are fixed in Ruby-rubygems-update 2.7.9 | Windows |
| Vulnerabilities CVE-2019-8320 are fixed in Ruby-rubygems-update 3.0.3 | Windows |
| ruby2.3 security update(DSA-4433-1) ruby2.3_2.3.3-1+deb9u6_i386.deb | Linux |
| ruby2.3 security update(DSA-4433-1) ruby2.3_2.3.3-1+deb9u6_amd64.deb | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) libruby2_1-2_1-2.1.9-19.3.2.x86_64.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) libruby2_1-2_1-debuginfo-2.1.9-19.3.2.x86_64.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-2.1.9-19.3.2.x86_64.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-debuginfo-2.1.9-19.3.2.x86_64.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-debugsource-2.1.9-19.3.2.x86_64.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-stdlib-2.1.9-19.3.2.x86_64.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-stdlib-debuginfo-2.1.9-19.3.2.x86_64.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) libruby2_1-2_1-2.1.9-19.3.2.x86_64_SP5.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) libruby2_1-2_1-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-2.1.9-19.3.2.x86_64_SP5.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-debugsource-2.1.9-19.3.2.x86_64_SP5.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-stdlib-2.1.9-19.3.2.x86_64_SP5.rpm | Linux |
| SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-stdlib-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpm | Linux |
| Multiple vulnerabilities are fixed in Ruby-rubygems-update for Linux 2.7.9 | Linux |
| Vulnerabilities CVE-2019-8320 are fixed in Ruby-rubygems-update for Linux 3.0.3 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234