We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

rdoc Critical
Command Injection
Discovered 4 months ago
Published 9 months ago
Category: Command Injection
Severity: Critical

RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 6.3.1

Unaffected Versions