CVE-2021-21289 – mechanize

Package

Manager: gem
Name: mechanize
Vulnerable Version: >=2.0.0 <2.7.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02503 pctl0.84774

Details

Command Injection Vulnerability in Mechanize This security advisory has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA). ### Impact Mechanize `>= v2.0`, `< v2.7.7` allows for OS commands to be injected using several classes' methods which implicitly use Ruby's `Kernel.open` method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: - `Mechanize::CookieJar#load`: since v2.0 (see 208e3ed) - `Mechanize::CookieJar#save_as`: since v2.0 (see 5b776a4) - `Mechanize#download`: since v2.2 (see dc91667) - `Mechanize::Download#save` and `#save!` since v2.1 (see 98b2f51, bd62ff0) - `Mechanize::File#save` and `#save_as`: since v2.1 (see 2bf7519) - `Mechanize::FileResponse#read_body`: since v2.0 (see 01039f5) ### Patches These vulnerabilities are patched in Mechanize v2.7.7. ### Workarounds No workarounds are available. We recommend upgrading to v2.7.7 or later. ### References See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why `Kernel.open` should not be used with untrusted input. ### For more information If you have any questions or comments about this advisory, please open an issue in [sparklemotion/mechanize](https://github.com/sparklemotion/mechanize/issues/new).

Metadata

Created: 2021-02-02T18:50:27Z
Modified: 2022-04-27T20:24:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-qrqm-fpv6-6r8g/GHSA-qrqm-fpv6-6r8g.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-qrqm-fpv6-6r8g
Finding: F404
Auto approve: 1