CVE-2021-21289

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-21289

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21289.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-21289

Aliases

GHSA-qrqm-fpv6-6r8g

Related

Published

2021-02-02T19:15:14Z

Modified

2024-09-18T03:12:47.061223Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#saveas, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#readbody. This is fixed in version 2.7.7.

References

Affected packages

Debian:11 / ruby-mechanize

Package

Name: ruby-mechanize
Purl: pkg:deb/debian/ruby-mechanize?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / ruby-mechanize

Package

Name: ruby-mechanize
Purl: pkg:deb/debian/ruby-mechanize?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-mechanize

Package

Name: ruby-mechanize
Purl: pkg:deb/debian/ruby-mechanize?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/sparklemotion/mechanize

Affected ranges

Type: GIT
Repo: https://github.com/sparklemotion/mechanize
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

66a6a1bfa653a5f13274a396a5e5441238656aa0

Affected versions

REL_0.*

REL_0.7.6

REL_0.7.7

REL_0.7.8

REL_0.8.0

REL_0.8.1

REL_0.8.2

REL_0.8.3

REL_0.8.4

REL_0.8.5

REL_0.9.1

REL_0.9.2

REL_1.*

REL_1.0.0

v2.*

v2.0

v2.0.1

v2.0.pre.1

v2.0.pre.2

v2.1

v2.1.1

v2.1.pre.1

v2.2

v2.2.1

v2.3

v2.4

v2.5

v2.5.1

v2.6.0

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.4.beta1

v2.7.4.beta2

v2.7.4.beta3

v2.7.5

v2.7.6