CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS
Percentile
69.7%
This security advisory has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).
Mechanize >= v2.0
, < v2.7.7
allows for OS commands to be injected using several classes’ methods which implicitly use Ruby’s Kernel.open
method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:
Mechanize::CookieJar#load
: since v2.0 (see 208e3ed)Mechanize::CookieJar#save_as
: since v2.0 (see 5b776a4)Mechanize#download
: since v2.2 (see dc91667)Mechanize::Download#save
and #save!
since v2.1 (see 98b2f51, bd62ff0)Mechanize::File#save
and #save_as
: since v2.1 (see 2bf7519)Mechanize::FileResponse#read_body
: since v2.0 (see 01039f5)These vulnerabilities are patched in Mechanize v2.7.7.
No workarounds are available. We recommend upgrading to v2.7.7 or later.
See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why Kernel.open
should not be used with untrusted input.
If you have any questions or comments about this advisory, please open an issue in sparklemotion/mechanize.
Vendor | Product | Version | CPE |
---|---|---|---|
mechanize_project | mechanize | * | cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:ruby:*:* |
github.com/advisories/GHSA-qrqm-fpv6-6r8g
github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2021-21289.yml
github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0
github.com/sparklemotion/mechanize/releases/tag/v2.7.7
github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
lists.debian.org/debian-lts-announce/2021/02/msg00021.html
lists.fedoraproject.org/archives/list/[email protected]/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/
lists.fedoraproject.org/archives/list/[email protected]/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/
nvd.nist.gov/vuln/detail/CVE-2021-21289
rubygems.org/gems/mechanize/
security.gentoo.org/glsa/202107-17
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS
Percentile
69.7%