CVE-2019-16255 — Code Injection in Ruby

CWE-94 — Code Injection10 documents9 sources

Severity

8.1HIGHNVD

EPSS

1.2%

top 21.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jruby Ruby-lang Ruby Debian Linux +2 more

Timeline

PublishedNov 26

Latest updateMay 24

Description

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

▶Debianjruby/jruby< 9.3.9.0+ds-1+2

▶NVDruby-lang/ruby2.4.0 — 2.4.7+2

▶NVDopensuse/leap15.1

▶NVDoracle/graalvm19.3.0.2

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: hackerone.com ↗Patch: www.oracle.com ↗Patch: hackerone.com ↗

🔴Vulnerability Details

GHSA

GHSA-ph7w-p94x-9vvw: Ruby through 2↗2022-05-24

▶

CVEList

CVE-2019-16255: Ruby through 2↗2019-11-26

▶

OSV

CVE-2019-16255: Ruby through 2↗2019-11-26

▶

OSV

ruby2.3, ruby2.5 vulnerabilities↗2019-11-26

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2019-11-26

▶

Red Hat

ruby: Code injection via command argument of Shell#test / Shell#[]↗2019-11-26

▶

Microsoft

Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An ↗2019-11-12

▶

Debian

CVE-2019-16255: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code inj...↗2019

▶

💬Community

Bugzilla

CVE-2019-16255 ruby: Code injection via command argument of Shell#test / Shell#[]↗2020-01-21

▶