RubySec

Providing security resources for the Ruby community

CVE-2019-13354 (strong_password): strong_password Ruby gem malicious version causing Remote Code Execution vulnerability

ADVISORIES

GEM

strong_password

UNAFFECTED VERSIONS

  • != 0.0.7

PATCHED VERSIONS

  • >= 0.0.8

DESCRIPTION

The strong_password gem on RubyGems.org was hijacked by a malicious actor. The malicious actor published v0.0.7 containing malicious code that enables an attacker to execute remote code in production.

Upgrade strong_password to v0.0.8 to ensure no malicious code execution is possible.