The ManageIQ team is aware of a vulnerability in rest-client introduced by a compromised account of one of the rest-client maintainers.
This vulnerability has been assigned CVE-2019-15224, at this point the only known version of rest-client that is impacted is
This version has been yanked from rubygems.org and is no longer able to be installed.
All versions of ManageIQ going back to botvinnik-1 have used rest-client 2.0.0 and are not impacted by this vulnerability. ManageIQ anand (Aug 2014) used rest-client 1.6.* and it is recommended that anyone using this version upgrade immediately to a supported version.
To summarize, no released versions of ManageIQ are impacted by this vulnerability.
If you are a developer it is recommended that you check the versions of rest-client that you have installed.
You can check the version of rest-client that ManageIQ is using by running
bundle show rest-client from the main manageiq directory.
$ bundle show rest-client /home/grare/adam/.gem/gems/rest-client-2.0.2
You should also check the versions of rest-client that you have installed on your system with
gem list rest-client:
$ gem list rest-client *** LOCAL GEMS *** rest-client (2.0.2)
If you do have a compromised version of rest-client installed you should remove it immediately! You can do this by running
gem uninstall rest-client --version '= 1.6.13'
You can get more information about the compromise from the rest-client issue: https://github.com/rest-client/rest-client/issues/713
For questions or support, join in on the talk page.
Thank you, The ManageIQ Team