Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01ZzRyLTJxaHgtdnFmbc4AArZZ
Use of Uninitialized Variable in trilogy
Impact
When authenticating, a malicious server could return a specially crafted authentication packet, causing the client to read and return up to 12 bytes of data from an uninitialized variable in stack memory.
Patches
Users of the trilogy gem should upgrade to version 2.1.1
Workarounds
This issue can be avoided by only connecting to trusted servers.
Acknowledgements
We would like to thank Sergei Volokitin for reporting this vulnerability
For more information
If you have any questions or comments about this advisory:
- Open an issue in trilogy
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01ZzRyLTJxaHgtdnFmbc4AArZZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00133
EPSS Percentile: 0.49529
Identifiers: GHSA-5g4r-2qhx-vqfm, CVE-2022-31026
References:
- https://github.com/github/trilogy/security/advisories/GHSA-5g4r-2qhx-vqfm
- https://github.com/github/trilogy/commit/6bed62789eaf119902b0fe247d2a91d56c31a962
- https://nvd.nist.gov/vuln/detail/CVE-2022-31026
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/trilogy/CVE-2022-31026.yml
- https://github.com/advisories/GHSA-5g4r-2qhx-vqfm
Blast Radius: 8.0
Affected Packages
rubygems:trilogy
Dependent packages: 7Dependent repositories: 23
Downloads: 1,348,016 total
Affected Version Ranges: < 2.1.1
Fixed in: 2.1.1
All affected versions: 2.0.0, 2.1.0
All unaffected versions: 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 2.9.0