RubyGems Delete directory using symlink when decompressing tar

GHSA-5x32-c9mf-49cc · CVE-2019-8320

Published Jun 20, 2019 · Modified Feb 16, 2024

Description

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-8320
WEB https://hackerone.com/reports/317321
WEB https://access.redhat.com/errata/RHSA-2019:1429
WEB https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
PACKAGE https://github.com/rubygems/rubygems
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2019-8320.yml
WEB https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
WEB http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes