CVE-2021-31799 — OS Command Injection in Rdoc

CWE-78 — OS Command Injection CWE-74 — Injection CWE-77 — Command Injection9 documents7 sources

Severity

7.0HIGHNVD

EPSS

0.4%

top 42.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle JD Edwards Enterpriseone Tools Ruby-lang Rdoc Debian Linux

Timeline

PublishedJul 30

Latest updateSep 1

Description

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages3 packages

▶NVDruby-lang/rdoc3.11 — 6.3.1

▶RubyGemsruby-lang/rdoc3.11 — 6.1.2.1+2

▶NVDoracle/jd_edwards_enterpriseone_tools< 9.2.6.1

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: www.oracle.com ↗Patch: www.ruby-lang.org ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Arbitrary Code Execution in Rdoc↗2021-09-01

▶

OSV

Arbitrary Code Execution in Rdoc↗2021-09-01

▶

OSV

CVE-2021-31799: In RDoc 3↗2021-07-30

▶

CVEList

CVE-2021-31799: In RDoc 3↗2021-07-29

▶

OSV

ruby2.3, ruby2.5, ruby2.7 vulnerabilities↗2021-07-21

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2021-07-21

▶

Red Hat

rubygem-rdoc: Command injection vulnerability in RDoc↗2021-05-02

▶

Debian

CVE-2021-31799: ruby2.7 - In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, i...↗2021

▶