CVE-2021-21289

2021-02-0200:00:00

ubuntu.com

mechanize

ruby

command injection

vulnerability

mechanize::cookiejar

mechanize::download

mechanize::fileresponse

CVSS2

7.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS

0.003

Percentile

69.7%

JSON

Mechanize is an open-source ruby library that makes automated web
interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7
there is a command injection vulnerability. Affected versions of mechanize
allow for OS commands to be injected using several classes’ methods which
implicitly use Ruby’s Kernel.open method. Exploitation is possible only if
untrusted input is used as a local filename and passed to any of these
calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as,
Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and
Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchruby-mechanize< anyUNKNOWN
ubuntu20.04noarchruby-mechanize< anyUNKNOWN
ubuntu22.04noarchruby-mechanize< anyUNKNOWN
ubuntu16.04noarchruby-mechanize< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	ruby-mechanize	< any	UNKNOWN
ubuntu	20.04	noarch	ruby-mechanize	< any	UNKNOWN
ubuntu	22.04	noarch	ruby-mechanize	< any	UNKNOWN
ubuntu	16.04	noarch	ruby-mechanize	< any	UNKNOWN