mechanize is vulnerable to OS command injection. The Kernel.open
method could be used to inject and execute arbitrary OS commands invoked through several class methods. Exploitation is possible when untrusted input is used as a local filename and is passed to the affected functions.
github.com/advisories/GHSA-qrqm-fpv6-6r8g
github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0
github.com/sparklemotion/mechanize/pull/548
github.com/sparklemotion/mechanize/releases/tag/v2.7.7
github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
lists.debian.org/debian-lts-announce/2021/02/msg00021.html
lists.fedoraproject.org/archives/list/[email protected]/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/
lists.fedoraproject.org/archives/list/[email protected]/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/
rubygems.org/gems/mechanize/
security.gentoo.org/glsa/202107-17