CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31033 – Authorization header leak in rubygem Mechanize
https://notcve.org/view.php?id=CVE-2022-31033
The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue. • https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317 https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-21289 – Command Injection Vulnerability in Mechanize
https://notcve.org/view.php?id=CVE-2021-21289
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7. • https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0 https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7 https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AW • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •