Description

bootstrap-sass is a Ruby gem, the official Sass port of Bootstrap 2 and 3. On March 26, 2019, a malicious version (version 3.2.0.3) of this gem was published to the official RubyGems repository. This modified gem includes a stealthy backdoor that gives attackers remote command execution on server-side Rails applications.

Remediation

Upgrade to the latest version of this Ruby gem (this issue was fixed in version 3.2.0.4).

References

Malicious remote code execution backdoor discovered in the popular bootstrap-sass Ruby gem

bootstrap-sass backdoor github issue

Related Vulnerabilities

Telerik Web UI Unrestricted File Upload (CVE-2014-2217)

Drupal Core 4.7.x Arbitrary Code Execution (4.7.0 - 4.7.5)

WordPress OptimizePress unrestricted file upload

WordPress Plugin wSecure Lite Remote Code Execution (2.3)

WordPress Plugin ProfileGrid-User Profiles, Groups and Communities Remote Code Execution (2.8.5)

Severity

High

Classification

CVE-2019-10842 CWE-95 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor