There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |
.
[
{
"product": "https://github.com/ruby/ruby",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in Rake 12.3.3"
}
]
}
]
lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
hackerone.com/reports/651518
lists.debian.org/debian-lts-announce/2020/02/msg00026.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/523CLQ62VRN3VVC52KMPTROCCKY4Z36B/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMX4ARNX2JLRJMSH4N3J3UBMUT5CI44/
usn.ubuntu.com/4295-1/