CVE-2021-21289

Published about 1 month ago
Category: Command Injection
Source: GitHub
Severity: Critical

Vulnerability in mechanize

Impact

Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected using several classes’ methods which implicitly use Ruby’s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

  • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
  • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
  • Mechanize#download: since v2.2 (see dc91667)
  • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
  • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
  • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

Patches

These vulnerabilities are patched in Mechanize v2.7.7.

Workarounds

No workarounds are available. We recommend upgrading to v2.7.7 or later.

References

See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why Kernel.open should not be used with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 2.7.7

Unaffected Versions

< 2.0

References

n/a