CVE-2021-21289

Published: Feb 2, 2021Modified: Nov 21, 2024

8.3

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 6.0

Source: NVD

Description

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.

Affected (4)

Products: Mechanize Project: Mechanize · Fedoraproject: Fedora · Debian: Debian Linux

Mechanize Project

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mechanize Project Mechanize	From 2.0 to 2.7.7

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (16)

https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g

Source: security-advisories@github.com

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/

Source: security-advisories@github.com

https://rubygems.org/gems/mechanize/

Source: security-advisories@github.com

ProductThird Party Advisory

https://security.gentoo.org/glsa/202107-17

Source: security-advisories@github.com

Third Party Advisory

https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/

Source: af854a3a-2127-422b-91ae-364da2661108

https://rubygems.org/gems/mechanize/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://security.gentoo.org/glsa/202107-17

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.