CVE-2021-21289
Command Injection Vulnerability in Mechanize
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
Mechanize es una biblioteca de ruby ??de código abierto que facilita la interacción web automatizada. En Mechanize desde versión 2.0.0 y versiones anteriores a 2.7.7, se presenta una vulnerabilidad de inyección de comandos. Las versiones afectadas de mechanize permiten a unos comandos del Sistema Operativo ser inyectados usando métodos de varias clases que implícitamente usan el método Kernel.open de Ruby. Una explotación es posible solo si es usada una entrada que no sea confiable como nombre de archivo local y sea pasada a cualquiera de estas llamadas: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save y Mechanize::FileResponse#read_body. Esto es corregido en versión 2.7.7
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-22 CVE Reserved
- 2021-02-02 CVE Published
- 2023-11-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7 | Release Notes | |
| https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html | Mailing List |
|
| https://rubygems.org/gems/mechanize | Product |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mechanize Project Search vendor "Mechanize Project" | Mechanize Search vendor "Mechanize Project" for product "Mechanize" | >= 2.0 < 2.7.7 Search vendor "Mechanize Project" for product "Mechanize" and version " >= 2.0 < 2.7.7" | ruby |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||