This security advisory has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).
< v2.7.7 allows for OS commands to be injected using several classes' methods which implicitly use Ruby's
Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:
Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
Mechanize#download: since v2.2 (see dc91667)
#save!since v2.1 (see 98b2f51, bd62ff0)
#save_as: since v2.1 (see 2bf7519)
Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)
These vulnerabilities are patched in Mechanize v2.7.7.
No workarounds are available. We recommend upgrading to v2.7.7 or later.
See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why
Kernel.open should not be used with untrusted input.
If you have any questions or comments about this advisory, please open an issue in sparklemotion/mechanize.