GHSA-jppv-gw3r-w3q8

Suggest an improvement
Source
https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-jppv-gw3r-w3q8/GHSA-jppv-gw3r-w3q8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jppv-gw3r-w3q8
Aliases
Published
2020-02-28T16:54:36Z
Modified
2024-02-19T05:32:17.994147Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OS Command Injection in Rake
Details

There is an OS command injection vulnerability in Ruby Rake before 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-25T15:50:03Z"
}
References

Affected packages

RubyGems / rake

Package

Name
rake
Purl
pkg:gem/rake

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.3.3

Affected versions

0.*

0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14
0.4.15
0.5.0
0.5.3
0.5.4
0.6.0
0.6.2
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.9.0.beta.0
0.9.0.beta.1
0.9.0.beta.2
0.9.0.beta.4
0.9.0.beta.5
0.9.0
0.9.1
0.9.2
0.9.2.2
0.9.3.beta.1
0.9.3.beta.2
0.9.3.beta.3
0.9.3.beta.4
0.9.3
0.9.4
0.9.5
0.9.6

10.*

10.0.0.beta.1
10.0.0.beta.2
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.1.0.beta.1
10.1.0.beta.2
10.1.0.beta.3
10.1.0
10.1.1
10.2.0
10.2.1
10.2.2
10.3.0
10.3.1
10.3.2
10.4.0
10.4.1
10.4.2
10.5.0

11.*

11.0.1
11.1.0
11.1.1
11.1.2
11.2.0
11.2.2
11.3.0

12.*

12.0.0.beta1
12.0.0
12.1.0
12.2.0
12.2.1
12.3.0
12.3.1
12.3.2

Database specific

{
    "last_known_affected_version_range": "<= 12.3.2"
}