---
gem: strong_password
cve: 2019-13354
url: https://withatwist.dev/strong-password-rubygem-hijacked.html
title: strong_password Ruby gem malicious version causing Remote Code Execution vulnerability
date: 2019-07-05

description: |
  The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The
  malicious actor published v0.0.7 containing malicious code that enables an attacker
  to execute remote code in production.

  Upgrade `strong_password` to v0.0.8 to ensure no malicious code execution is possible.

patched_versions:
  - ">= 0.0.8"

unaffected_versions:
  - "!= 0.0.7"