GSD-2021-21289

Vulnerability from gsd - Updated: 2021-02-01 00:00
Details
## Impact Mechanize `>= v2.0`, `< v2.7.7` allows for OS commands to be injected using several classes' methods which implicitly use Ruby's `Kernel.open` method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: * Mechanize::CookieJar#load: since v2.0 (see 208e3ed) * Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4) * Mechanize#download: since v2.2 (see dc91667) * Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0) * Mechanize::File#save and #save_as: since v2.1 (see 2bf7519) * Mechanize::FileResponse#read_body: since v2.0 (see 01039f5) ## Patches These vulnerabilities are patched in Mechanize v2.7.7. ## Workarounds No workarounds are available. We recommend upgrading to v2.7.7 or later. ## References See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why `Kernel.open` should not be used with untrusted input.
Aliases
Aliases
CVE-2021-21289
To clipboard 

{
  "GSD": {
    "alias": "CVE-2021-21289",
    "description": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.",
    "id": "GSD-2021-21289",
    "references": [
      "https://advisories.mageia.org/CVE-2021-21289.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "mechanize",
            "purl": "pkg:gem/mechanize"
          }
        }
      ],
      "aliases": [
        "CVE-2021-21289",
        "GHSA-qrqm-fpv6-6r8g"
      ],
      "details": "## Impact\n\nMechanize `\u003e= v2.0`, `\u003c v2.7.7` allows for OS commands to be injected using several\nclasses\u0027 methods which implicitly use Ruby\u0027s `Kernel.open` method. Exploitation is\npossible only if untrusted input is used as a local filename and passed to any of\nthese calls:\n\n* Mechanize::CookieJar#load: since v2.0 (see 208e3ed)\n* Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)\n* Mechanize#download: since v2.2 (see dc91667)\n* Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)\n* Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)\n* Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)\n\n## Patches\n\nThese vulnerabilities are patched in Mechanize v2.7.7.\n\n## Workarounds\n\nNo workarounds are available. We recommend upgrading to v2.7.7 or later.\n\n## References\n\nSee https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background\non why `Kernel.open` should not be used with untrusted input.",
      "id": "GSD-2021-21289",
      "modified": "2021-02-01T00:00:00.000Z",
      "published": "2021-02-01T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.4,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Mechanize ruby gem Command Injection vulnerability"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-21289",
        "STATE": "PUBLIC",
        "TITLE": "Command Injection Vulnerability in Mechanize"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "mechanize",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 2.0, \u003c 2.7.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "sparklemotion"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g",
            "refsource": "CONFIRM",
            "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
          },
          {
            "name": "https://rubygems.org/gems/mechanize/",
            "refsource": "MISC",
            "url": "https://rubygems.org/gems/mechanize/"
          },
          {
            "name": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7",
            "refsource": "MISC",
            "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
          },
          {
            "name": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0",
            "refsource": "MISC",
            "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
          },
          {
            "name": "FEDORA-2021-24fdc228e4",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
          },
          {
            "name": "FEDORA-2021-db8ebc547e",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
          },
          {
            "name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
          },
          {
            "name": "GLSA-202107-17",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202107-17"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qrqm-fpv6-6r8g",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-21289",
      "cvss_v3": 7.4,
      "date": "2021-02-01",
      "description": "## Impact\n\nMechanize `\u003e= v2.0`, `\u003c v2.7.7` allows for OS commands to be injected using several\nclasses\u0027 methods which implicitly use Ruby\u0027s `Kernel.open` method. Exploitation is\npossible only if untrusted input is used as a local filename and passed to any of\nthese calls:\n\n* Mechanize::CookieJar#load: since v2.0 (see 208e3ed)\n* Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)\n* Mechanize#download: since v2.2 (see dc91667)\n* Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)\n* Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)\n* Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)\n\n## Patches\n\nThese vulnerabilities are patched in Mechanize v2.7.7.\n\n## Workarounds\n\nNo workarounds are available. We recommend upgrading to v2.7.7 or later.\n\n## References\n\nSee https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background\non why `Kernel.open` should not be used with untrusted input.",
      "gem": "mechanize",
      "ghsa": "qrqm-fpv6-6r8g",
      "patched_versions": [
        "\u003e= 2.7.7"
      ],
      "title": "Mechanize ruby gem Command Injection vulnerability",
      "unaffected_versions": [
        "\u003c 2.0"
      ],
      "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.0 \u003c2.7.7",
          "affected_versions": "All versions starting from 2.0 before 2.7.7",
          "cvss_v2": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2022-04-26",
          "description": "Mechanize is an open-source ruby library that makes automated web interaction easy.",
          "fixed_versions": [
            "2.7.7"
          ],
          "identifier": "CVE-2021-21289",
          "identifiers": [
            "CVE-2021-21289",
            "GHSA-qrqm-fpv6-6r8g"
          ],
          "not_impacted": "All versions before 2.0, all versions starting from 2.7.7",
          "package_slug": "gem/mechanize",
          "pubdate": "2021-02-02",
          "solution": "Upgrade to version 2.7.7 or above.",
          "title": "OS Command Injection",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21289"
          ],
          "uuid": "3c307d5f-76e6-4f41-a694-f65cc20c070a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.7.7",
                "versionStartIncluding": "2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21289"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                },
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://rubygems.org/gems/mechanize/",
              "refsource": "MISC",
              "tags": [
                "Product",
                "Third Party Advisory"
              ],
              "url": "https://rubygems.org/gems/mechanize/"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
            },
            {
              "name": "FEDORA-2021-24fdc228e4",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
            },
            {
              "name": "FEDORA-2021-db8ebc547e",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
            },
            {
              "name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
            },
            {
              "name": "GLSA-202107-17",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202107-17"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.6,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 6.0
        }
      },
      "lastModifiedDate": "2022-04-26T15:07Z",
      "publishedDate": "2021-02-02T19:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.