CVE-2019-8320
HIGHRubyGems 2.7.6-3.0.2 - Path Traversal via Symlink Deletion
Title source: llmDescription
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/317321
Vendor Advisory x_refsource_confirm
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1429
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
Scores
CVSS v3
7.4
EPSS
0.0631
EPSS Percentile
91.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (2)
rubygems/rubygems
2.7.6 - 3.0.2
rubygems/rubygems-update
2.7.6 - 2.7.9RubyGems
Published
Jun 06, 2019
Tracked Since
Feb 18, 2026