Today we’re disclosing several vulnerablities to RubyGems. They have all been reported via hackerone.
We strongly recommend to upgrade the latest stable version of RubyGems 3.0.3 or 2.7.8. If you can’t upgrade RubyGems 2.7 or 3.0, please use this patch for RubyGems 2.6.
The following vulnerabilities have been reported.
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Fixed versions rubygems-2.7.9 and rubygems-3.0.3 have been added.
@maintainer, please drop vulnerable.