GHSA-c5r5-7pfh-6qg6

Suggest an improvement
Source
https://github.com/advisories/GHSA-c5r5-7pfh-6qg6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-c5r5-7pfh-6qg6/GHSA-c5r5-7pfh-6qg6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c5r5-7pfh-6qg6
Aliases
Published
2020-02-14T23:10:01Z
Modified
2024-08-16T03:11:48.282702Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
BibTeX-Ruby vulnerable to OS command injection
Details

BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-13T20:45:35Z"
}
References

Affected packages

RubyGems / bibtex-ruby

Package

Name
bibtex-ruby
Purl
pkg:gem/bibtex-ruby

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.0

Affected versions

1.*

1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.3.11
1.3.12

2.*

2.0.0pre1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4

3.*

3.0.0
3.0.1
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.15
4.0.16
4.1.0
4.1.1
4.1.2
4.2.0
4.3.0
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7

5.*

5.0.0
5.0.1

Database specific

{
    "last_known_affected_version_range": "<= 5.0.1"
}