Lucene search

RubySecRUBY:STRONG_PASSWORD-2019-13354

HistoryJul 04, 2019 - 9:00 p.m.

strong_password Ruby gem malicious version causing Remote Code Execution vulnerability

2019-07-0421:00:00

RubySec

withatwist.dev

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

The strong_password gem on RubyGems.org was hijacked by a malicious actor. The
malicious actor published v0.0.7 containing malicious code that enables an attacker
to execute remote code in production.

Upgrade strong_password to v0.0.8 to ensure no malicious code execution is possible.

Affected configurations

Vulners

Node

rubystrong_passwordRange≤0.0.8

VendorProductVersionCPE
rubystrong_password*cpe:2.3:a:ruby:strong_password:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	strong_password	*	cpe:2.3:a:ruby:strong_password::::::::

References

withatwist.dev/strong-password-rubygem-hijacked.html

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

Related for RUBY:STRONG_PASSWORD-2019-13354