GHSA-mh37-8c3g-3fgc · Severity: high · Ecosystem: rubygems — RubyGems Escape sequence injection vulnerability in gem owner
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
Conclusion & alert: CVE-2019-8322 is rated Moderate Risk (49.6/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.33%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-04 | 0.18% | 0.33% | +0.15% |
| 2 | 2026-03-01 | 0.33% | 0.18% | -0.15% |
| 3 | 2026-02-04 | — | 0.33% | — |
Full EPSS history (42 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-mh37-8c3g-3fgc · Severity: high · Ecosystem: rubygems — RubyGems Escape sequence injection vulnerability in gem owner
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2019-8322 not yet assigned priority: Debian including 2 source packages (jruby, rubygems), 9 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 9. | https://security-tracker.debian.org/tracker/CVE-2019-8322 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2019-8322 |
suse
|
medium | CVE-2019-8322 severity moderate: SUSE including 332 source package names (2.17-17.3:libruby2_5-2_5-2.5.5-4.3.1, 2.17-17.3:ruby2.5-2.5.5-4.3.1, …), 1033 product×package rows across 247 product lines (Container bci/ruby, Container suse/rmt-server, … (247 product lines)): Fixed 874, Known Affected 157, Known Not Affected 2. | https://www.suse.com/security/cve/CVE-2019-8322/ |
ubuntu
|
medium | CVE-2019-8322 medium priority: Ubuntu including 6 source packages (jruby, ruby1.9.1, ruby2.0, ruby2.1, ruby2.3, ruby2.5), 112 status rows across 19 suites (bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 83, not-affected 12, released 8, needs-triage 6, ignored 2, needed 1. | https://ubuntu.com/security/CVE-2019-8322 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| rubygems | rubygems | >= 2.6.0, <= 3.0.2 | cpe:2.3:a:rubygems:rubygems:*:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| opensuse | leap | 15.0 | cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:* |
| opensuse | leap | 15.1 | cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html | Mailing List Third Party Advisory |
| https://hackerone.com/reports/315087 | Permissions Required Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html | Mailing List Third Party Advisory |