GHSA-qrqm-fpv6-6r8g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qrqm-fpv6-6r8g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-qrqm-fpv6-6r8g/GHSA-qrqm-fpv6-6r8g.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-qrqm-fpv6-6r8g
- Aliases
- Related
- Published
- 2021-02-02T18:50:27Z
- Modified
- 2024-02-20T05:33:35.529997Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N CVSS Calculator
- Summary
- Command Injection Vulnerability in Mechanize
- Details
-
This security advisory has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).
Impact
Mechanize
>= v2.0,< v2.7.7allows for OS commands to be injected using several classes' methods which implicitly use Ruby'sKernel.openmethod. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:Mechanize::CookieJar#load: since v2.0 (see 208e3ed)Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)Mechanize#download: since v2.2 (see dc91667)Mechanize::Download#saveand#save!since v2.1 (see 98b2f51, bd62ff0)Mechanize::File#saveand#save_as: since v2.1 (see 2bf7519)Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)
Patches
These vulnerabilities are patched in Mechanize v2.7.7.
Workarounds
No workarounds are available. We recommend upgrading to v2.7.7 or later.
References
See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why
Kernel.openshould not be used with untrusted input.For more information
If you have any questions or comments about this advisory, please open an issue in sparklemotion/mechanize.
- Database specific
{ "github_reviewed_at": "2021-02-02T18:50:15Z", "github_reviewed": true, "cwe_ids": [ "CWE-78" ], "severity": "HIGH", "nvd_published_at": "2021-02-02T19:15:00Z" }- References
-
- https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
- https://nvd.nist.gov/vuln/detail/CVE-2021-21289
- https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2021-21289.yml
- https://github.com/sparklemotion/mechanize
- https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7
- https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V
- https://rubygems.org/gems/mechanize
- https://security.gentoo.org/glsa/202107-17
Affected packages
RubyGems / mechanize
Package
- Name
- mechanize
- Purl
- pkg:gem/mechanize