Arbitrary Code Injection in ruby

Do your applications use this vulnerable package? Test your applications

Overview

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

References

Bugtraq Mailing List
Bugtraq Mailing List
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CVE Details
Debian Security Advisory
Debian Security Announcement
Debian Security Announcement
Debian Security Tracker
GENTOO
HackerOne Report
MISC
MLIST
SUSE
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

High
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

High

CVE: CVE-2019-16255
CWE: CWE-94
Snyk ID: SNYK-ALPINE39-RUBY-489096
Disclosed: 26 Nov, 2019
Published: 13 Nov, 2019

Arbitrary Code Injection
Affecting ruby package, versions <2.5.7-r0

Overview

References

CVSS Score

Arbitrary Code Injection Affecting ruby package, versions <2.5.7-r0

Overview

References

Arbitrary Code Injection
Affecting ruby package, versions <2.5.7-r0