CVE-2019-13354 (strong_password): strong_password Ruby gem malicious version causing Remote Code Execution vulnerability

July 5th, 2019

ADVISORIES

CVE-2019-13354 (NVD)
GHSA-5h5r-ffc4-c455
Vendor Advisory

GEM

strong_password

SEVERITY

CVSS v3.x: 9.8 (Critical)

UNAFFECTED VERSIONS

< 0.0.7

PATCHED VERSIONS

>= 0.0.8

DESCRIPTION

The strong_password gem on RubyGems.org was hijacked by a malicious actor. The malicious actor published v0.0.7 containing malicious code that enables an attacker to execute remote code in production.

Upgrade strong_password to v0.0.8 to ensure no malicious code execution is possible.

RubySec