Miggo Logo
Miggo Vulnerability Database
CVE-2019-8321

CVE-2019-8321:
RubyGems Escape sequence injection vulnerability in verbose

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8321
GHSA ID
GHSA-fr32-gr5c-xq5c
EPSS Score
0.48608%
CWE
CWE-88
Published
6/20/2019
Updated
8/28/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rubygems-updaterubygems>= 2.6.0, < 2.7.92.7.9
rubygems-updaterubygems>= 3.0.0, < 3.0.23.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly states that 'Gem::UserInteraction#verbose calls say without escaping', making it the direct source of the injection flaw. Multiple authoritative sources (CVE description, RubyGems blog post, and ruby-advisory-db entry) confirm this root cause. The lack of output sanitization in this method matches the CWE-88 pattern of argument injection via unneutralized special elements.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Ru*y**ms *.* *n* l*t*r t*rou** *.*.*. Sin** **m::Us*rInt*r**tion#v*r*os* **lls s*y wit*out *s**pin*, *s**p* s*qu*n** inj**tion is possi*l*.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s t**t '**m::Us*rInt*r**tion#v*r*os* **lls s*y wit*out *s**pin*', m*kin* it t** *ir**t sour** o* t** inj**tion *l*w. Multipl* *ut*orit*tiv* sour**s (*V* **s*ription, Ru*y**ms *lo* post, *n* ru*y-**visory-