Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: strong_password
date: 2019-07-05
url: https://withatwist.dev/strong-password-rubygem-hijacked.html
cve: 2019-13354
title: strong_password Ruby gem malicious version causing Remote Code Execution vulnerability
description: |
  The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The
  malicious actor published v0.0.7 containing malicious code that enables an attacker
  to execute remote code in production.

  Upgrade `strong_password` to v0.0.8 to ensure no malicious code execution is possible.
unaffected_versions:
- "!= 0.0.7"
patched_versions:
- ">= 0.0.8"