|Type||Arbitrary code execution|
It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is vulnerable to code injection. Shell# and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the “command” argument) is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
|02 Oct 2019||ASA-201910-5||AVG-1040||ruby2.5||Medium||multiple issues|
|02 Oct 2019||ASA-201910-2||AVG-1039||ruby||Medium||multiple issues|
Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell# and Shell# is considered file testing.