Attacker Value
Very Low
(3 users assessed)
Exploitability
Moderate
(3 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Installing a malicious gem may lead to arbitrary code execution

Last updated March 17, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.

Add Assessment

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Medium
Technical Analysis

Rubygems has a vulnerability that allows for arbitrary code execution while a gem is being installed. However, it’s unclear how this is any worse than either using the malicious gem itself, or using the ability of gems to compile and execute arbitrary build instructions in the first place. It is interesting to be able to name a gem a particular way to create code execution. But you have to convince someone to install your gem in the first place. I presume that rubygems.org now prevents malicious gems from being published, but it would be interesting to see.

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Medium
Technical Analysis

In order for this attack to happen a Attacker needs to convince someone to install a ruby gem, which if someone is able to do that they would be able to find a better attack method.

General Information

Additional Info

Technical Analysis