CVE-2019-13589

CRITICAL

paranoid2 gem <1.1.6 - Code Injection

Title source: llm

Description

The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5.

References (4)

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/rubygems/rubygems.org/issues/2051

[Vendor Advisory] https://rubygems.org/gems/paranoid2/versions

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/109281

[Third Party Advisory] https://snyk.io/vuln/SNYK-RUBY-PARANOID2-451600

Scores

CVSS v3 9.8

EPSS 0.0612

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-829

Status published

Products (2)

anjlab/paranoid2 1.1.6

rubygems/paranoid2 RubyGems

Published Jul 14, 2019

Tracked Since Feb 18, 2026