CVE-2019-16255
published 2019-11-26CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or…
PriorityP352high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
4.22%
89.7th percentile
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | jruby | < jruby 9.3.9.0+ds-1 (bookworm) | jruby 9.3.9.0+ds-1 (bookworm) |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_ruby_2.6.7-1_on_cbl_mariner_1.0 | — | — |
| opensuse | leap | — | — |
| oracle | graalvm | — | — |
| ruby-lang | ruby | 2.4.0 – 2.4.7 | — |
| ruby-lang | ruby | 2.5.0 – 2.5.6 | — |
| ruby-lang | ruby | 2.6.0 – 2.6.4 | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2019-11-26·CVSS 6.5
CVE-2019-15845 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this issue to pass path matching
what can lead to an unauthorized access. (CVE-2019-15845)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could use this issue to cause a denial of service.
(CVE-2019-16201)
It was discovered that Ruby incorrectly handled certain HTTP headers.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16254)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16255)
Instructions: In general, a standard system update will make all
Red Hat
ruby: Code injection via command argument of Shell#test / Shell#[]
vendor_redhat·2019-11-26·CVSS 8.1
CVE-2019-16255 [HIGH] CWE-94 ruby: Code injection via command argument of Shell#test / Shell#[]
ruby: Code injection via command argument of Shell#test / Shell#[]
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
Package: 3amp-system (Red Hat 3scale API Management Platform 2) - Will not fix
Package: ruby (Red Hat Enterprise Linux 5) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 6) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 7) - Will not fix
Package: rh-ruby24-ruby (Red Hat Software Collections) - Will not fix
Microsoft
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An
vendor_msrc·2019-11-12·CVSS 8.1
CVE-2019-16255 [HIGH] CWE-94 Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impa
Debian
CVE-2019-16255: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code inj...
vendor_debian·2019·CVSS 8.1
CVE-2019-16255 [HIGH] CVE-2019-16255: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code inj...
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
Scope: local
bookworm: resolved (fixed in 9.3.9.0+ds-1)
forky: resolved (fixed in 9.3.9.0+ds-1)
sid: resolved (fixed in 9.3.9.0+ds-1)
trixie: resolved (fixed in 9.3.9.0+ds-1)
VulDB
Ruby up to 2.4.7/2.5.6/2.6.4 lib/shell.rb Argument injection (DLA 2027-1 / WID-SEC-2023-1110)
vuldb·2026-05-10·CVSS 8.1
CVE-2019-16255 [HIGH] Ruby up to 2.4.7/2.5.6/2.6.4 lib/shell.rb Argument injection (DLA 2027-1 / WID-SEC-2023-1110)
A vulnerability was found in Ruby up to 2.4.7/2.5.6/2.6.4. It has been declared as critical. Impacted is an unknown function in the library lib/shell.rb. Executing a manipulation as part of Argument can lead to injection.
The identification of this vulnerability is CVE-2019-16255. The attack may be launched remotely. There is no exploit available.
GHSA
GHSA-ph7w-p94x-9vvw: Ruby through 2
ghsa_unreviewed·2022-05-24
CVE-2019-16255 [HIGH] CWE-94 GHSA-ph7w-p94x-9vvw: Ruby through 2
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
OSV
CVE-2019-16255: Ruby through 2
osv·2019-11-26·CVSS 8.1
CVE-2019-16255 [HIGH] CVE-2019-16255: Ruby through 2
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
OSV
ruby2.3, ruby2.5 vulnerabilities
osv·2019-11-26·CVSS 6.5
CVE-2019-15845 [MEDIUM] ruby2.3, ruby2.5 vulnerabilities
ruby2.3, ruby2.5 vulnerabilities
It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this issue to pass path matching
what can lead to an unauthorized access. (CVE-2019-15845)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could use this issue to cause a denial of service.
(CVE-2019-16201)
It was discovered that Ruby incorrectly handled certain HTTP headers.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16254)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16255)
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.htmlhttps://hackerone.com/reports/327512https://lists.debian.org/debian-lts-announce/2019/11/msg00025.htmlhttps://lists.debian.org/debian-lts-announce/2019/12/msg00009.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://seclists.org/bugtraq/2019/Dec/31https://seclists.org/bugtraq/2019/Dec/32https://security.gentoo.org/glsa/202003-06https://www.debian.org/security/2019/dsa-4587https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.ruby-lang.org/ja/news/2019/10/01/code-injection-shell-test-cve-2019-16255/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.htmlhttps://hackerone.com/reports/327512https://lists.debian.org/debian-lts-announce/2019/11/msg00025.htmlhttps://lists.debian.org/debian-lts-announce/2019/12/msg00009.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://seclists.org/bugtraq/2019/Dec/31https://seclists.org/bugtraq/2019/Dec/32https://security.gentoo.org/glsa/202003-06https://www.debian.org/security/2019/dsa-4587https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.ruby-lang.org/ja/news/2019/10/01/code-injection-shell-test-cve-2019-16255/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/
2019-11-26
Published