Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFycW0tZnB2Ni02cjhn
Command Injection Vulnerability in Mechanize
This security advisory has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).
Impact
Mechanize >= v2.0
, < v2.7.7
allows for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open
method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:
Mechanize::CookieJar#load
: since v2.0 (see 208e3ed)Mechanize::CookieJar#save_as
: since v2.0 (see 5b776a4)Mechanize#download
: since v2.2 (see dc91667)Mechanize::Download#save
and#save!
since v2.1 (see 98b2f51, bd62ff0)Mechanize::File#save
and#save_as
: since v2.1 (see 2bf7519)Mechanize::FileResponse#read_body
: since v2.0 (see 01039f5)
Patches
These vulnerabilities are patched in Mechanize v2.7.7.
Workarounds
No workarounds are available. We recommend upgrading to v2.7.7 or later.
References
See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why Kernel.open
should not be used with untrusted input.
For more information
If you have any questions or comments about this advisory, please open an issue in sparklemotion/mechanize.
Permalink: https://github.com/advisories/GHSA-qrqm-fpv6-6r8gJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFycW0tZnB2Ni02cjhn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Identifiers: GHSA-qrqm-fpv6-6r8g, CVE-2021-21289
References:
- https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
- https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0
- https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7
- https://rubygems.org/gems/mechanize/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21289
- https://lists.fedoraproject.org/archives/list/[email protected]/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/
- https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html
- https://security.gentoo.org/glsa/202107-17
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2021-21289.yml
- https://github.com/advisories/GHSA-qrqm-fpv6-6r8g
Blast Radius: 29.4
Affected Packages
rubygems:mechanize
Dependent packages: 931Dependent repositories: 9,296
Downloads: 30,857,969 total
Affected Version Ranges: >= 2.0.0, < 2.7.7
Fixed in: 2.7.7
All affected versions: 2.0.1, 2.1.1, 2.2.1, 2.5.1, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 1.0.0, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0