strong_password Ruby gem malicious version causing Remote Code Execution vulnerability
Published: July 05, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2019-13354 (NVD)
- GHSA: GHSA-5h5r-ffc4-c455
- Vendor Advisory: https://withatwist.dev/strong-password-rubygem-hijacked.html
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
UNAFFECTED VERSIONS
< 0.0.7
PATCHED VERSIONS
>= 0.0.8
DESCRIPTION
The strong_password gem on RubyGems.org was hijacked by a malicious actor. The
malicious actor published v0.0.7 containing malicious code that enables an attacker
to execute remote code in production.
Upgrade strong_password to v0.0.8 to ensure no malicious code execution is possible.