CVE-2019-15224
CRITICAL9.8EPSS 2.2%rest-client Gem Contains Malicious Code
發布日:2019/8/20修改日:2024/2/16
描述
The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 1.6.9, or upgrading to 1.7.x. Additionally, a set of other minor gems have been partially or completely yanked and are included in this advisory. These include cron_parser, coin_base, blockchain_wallet, awesome-bot, doge-coin, capistrano-colors, bitcoin_vanity, lita_coin, coming-soon, and omniauth_amazon.
受影響套件(10)
- RubyGems/awesome-botfrom 0
- RubyGems/bitcoin_vanityfrom 0
- RubyGems/blockchain_walletfrom 0
- RubyGems/capistrano-colorsfrom 0
- RubyGems/coin_basefrom 0
- RubyGems/coming-soonfrom 0
- RubyGems/cron_parser>= 1.0.13, <= 1.0.14
- RubyGems/doge-coinfrom 0
- RubyGems/omniauth_amazonfrom 0
- RubyGems/rest-client>= 1.6.10, < 1.7.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-15224
- WEBhttps://github.com/rest-client/rest-client/issues/713
- WEBhttps://github.com/rubygems/rubygems.org/issues/2097
- WEBhttps://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/blockchain_wallet/CVE-2019-15224.yml
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/coin_base/CVE-2019-15224.yml
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/doge-coin/CVE-2019-15224.yml
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/lita_coin/CVE-2019-15224.yml
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth_amazon/CVE-2019-15224.yml
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rest-client/CVE-2019-15224.yml