CVE-2021-21289OS Command Injection in Project Mechanize

CWE-78OS Command Injection6 documents5 sources
Severity
8.3HIGHNVD
EPSS
2.5%
top 14.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Mechanize Project MechanizeDebian Ruby-mechanizeSparklemotion Mechanize+2 more
Timeline
PublishedFeb 2

Description

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as,

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.6 | Impact: 6.0

Affected Packages4 packages

debiandebian/ruby-mechanize< ruby-mechanize 2.7.7-1 (bookworm)
NVDmechanize_project/mechanize2.02.7.7
RubyGemsmechanize_project/mechanize2.0.02.7.7
CVEListV5sparklemotion/mechanize>= 2.0, < 2.7.7

Also affects: Debian Linux 9.0, Fedora 32, 33

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2021-21289: Mechanize is an open-source ruby library that makes automated web interaction easy2021-02-02
GHSA
Command Injection Vulnerability in Mechanize2021-02-02
OSV
Command Injection Vulnerability in Mechanize2021-02-02

📋Vendor Advisories

2
Red Hat
rubygem-mechanize: OS command injection via untrusted input to Ruby's Kernel.open method2021-02-01
Debian
CVE-2021-21289: ruby-mechanize - Mechanize is an open-source ruby library that makes automated web interaction ea...2021