GHSA-vmfh-c547-v45h

Source

https://github.com/advisories/GHSA-vmfh-c547-v45h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-vmfh-c547-v45h/GHSA-vmfh-c547-v45h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vmfh-c547-v45h

Aliases

CVE-2021-33575

Published

2021-10-06T17:48:27Z

Modified

2024-12-05T05:40:04.419664Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote code execution in ruby-jss

Details

The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem's documented behavior of using Marshal.load during XML document processing.

Database specific

{
    "nvd_published_at": "2021-05-25T23:15:00Z",
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-06T13:46:32Z"
}

References

Affected packages

RubyGems / ruby-jss

Package

Name: ruby-jss
Purl: pkg:gem/ruby-jss

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.0

Affected versions

0.*

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.7.0

0.8.1

0.8.2

0.9.0.b1

0.9.0.b2

0.9.0

0.9.1

0.9.2

0.10.0a1

0.10.0a2

0.10.0a3

0.10.0

0.10.1a2

0.10.1

0.10.2a4

0.10.2a5

0.10.2

0.11.0a5

0.11.0a6

0.11.0b1

0.11.0b2

0.11.0b3

0.11.0

0.12.0

0.13.0

0.14.0

1.*

1.0.0b2

1.0.0b6

1.0.0

1.0.1

1.0.2

1.0.3b1

1.0.3b2

1.0.3b3

1.0.3b4

1.0.3b5

1.0.4b1

1.0.4

1.1.0b1

1.1.0b2

1.1.0b3

1.1.0b5

1.1.3

1.2.0b1

1.2.0

1.2.2

1.2.3

1.2.4a1

1.2.4a2

1.2.4a3

1.2.4a4

1.2.6

1.2.9

1.2.10

1.3.2

1.3.3

1.4.1

1.5.1

1.5.2

1.5.3

1.6.0b1