Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/ruby@2.4.6-91?arch=el7cf
purl pkg:rpm/redhat/ruby@2.4.6-91?arch=el7cf
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-f7x5-hz5f-hyd3
Aliases:
CVE-2019-8325
GHSA-4wm8-fjv7-j774
Improper Restriction of Operations within the Bounds of a Memory Buffer An issue was discovered in RubyGems. Since `Gem::CommandManager#run` calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) There are no reported fixed by versions.
VCID-ha3g-uyse-wybx
Aliases:
CVE-2019-8322
GHSA-mh37-8c3g-3fgc
Injection Vulnerability An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. There are no reported fixed by versions.
VCID-jkwe-c323-3yez
Aliases:
CVE-2019-8321
GHSA-fr32-gr5c-xq5c
Argument Injection or Modification An issue was discovered in RubyGems. Since `Gem::UserInteraction#verbose` calls say without escaping, escape sequence injection is possible. There are no reported fixed by versions.
VCID-ky5r-bch5-m7dv
Aliases:
CVE-2019-8323
GHSA-3h4r-pjv6-cph9
Injection Vulnerability An issue was discovered in RubyGems. `Gem::GemcutterUtilities#with_response` may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. There are no reported fixed by versions.
VCID-t78a-dw4s-vqf5
Aliases:
CVE-2019-8320
GHSA-5x32-c9mf-49cc
Path Traversal A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (`/tmp`, `/usr`, etc.), this could likely lead to data loss or an unusable system. There are no reported fixed by versions.
VCID-xgmc-a5rk-zqag
Aliases:
CVE-2019-8324
GHSA-76wm-422q-92mq
Improper Input Validation A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is evaluated by `ensure_loadable_spec` during the pre-installation check. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:20:51.467424+00:00 RedHat Importer Affected by VCID-f7x5-hz5f-hyd3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8325.json 38.0.0
2026-04-01T14:20:51.219459+00:00 RedHat Importer Affected by VCID-xgmc-a5rk-zqag https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8324.json 38.0.0
2026-04-01T14:20:50.967815+00:00 RedHat Importer Affected by VCID-ky5r-bch5-m7dv https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8323.json 38.0.0
2026-04-01T14:20:50.746425+00:00 RedHat Importer Affected by VCID-ha3g-uyse-wybx https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8322.json 38.0.0
2026-04-01T14:20:50.521867+00:00 RedHat Importer Affected by VCID-jkwe-c323-3yez https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8321.json 38.0.0
2026-04-01T14:20:50.306550+00:00 RedHat Importer Affected by VCID-t78a-dw4s-vqf5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-8320.json 38.0.0