The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6.
References
Link | Resource |
---|---|
https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-strong_password-0-0-7/ | Third Party Advisory |
https://github.com/bdmac/strong_password/releases | Release Notes Third Party Advisory |
https://rubygems.org/gems/strong_password/versions | Release Notes Third Party Advisory |
https://withatwist.dev/strong-password-rubygem-hijacked.html | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-07-08T13:26:10
Updated: 2019-07-09T13:30:32
Reserved: 2019-07-05T00:00:00
Link: CVE-2019-13354
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-07-08T14:15:10.350
Modified: 2019-07-10T13:10:10.170
Link: CVE-2019-13354
JSON object: View
Redhat Information
No data.
CWE