CVE-2021-31799

Published: Jul 30, 2021Modified: Nov 21, 2024

7.0

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.0 / Impact: 5.9

Source: NVD

Description

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

Affected (4)

Products: Debian: Debian Linux · Ruby Lang: Rdoc · Oracle: Jd Edwards Enterpriseone Tools

1 product

1 product

1 product

Jd Edwards Enterpriseone Tools

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ruby Lang Rdoc	From 3.11 to 6.3.1

Running on/with	Platform Versions
Ruby Lang Ruby	Up to 3.0.1

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Jd Edwards Enterpriseone Tools	Before 9.2.6.1

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (12)

https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html

Source: cve@mitre.org

Third Party Advisory

https://security-tracker.debian.org/tracker/CVE-2021-31799

Source: cve@mitre.org

Third Party Advisory

https://security.gentoo.org/glsa/202401-05

Source: cve@mitre.org

https://security.netapp.com/advisory/ntap-20210902-0004/

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/

Source: cve@mitre.org

PatchVendor Advisory

https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html