CVE-2019-16255 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Arbitrary code execution
Description	It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is vulnerable to code injection. Shell#[] and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the “command” argument) is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1040	ruby2.5	2.5.6-1	2.5.7-1	Medium	Fixed	FS#63977
AVG-1039	ruby	2.6.4-1	2.6.5-1	Medium	Fixed	FS#63977

Date	Advisory	Group	Package	Severity	Type
02 Oct 2019	ASA-201910-5	AVG-1040	ruby2.5	Medium	multiple issues
02 Oct 2019	ASA-201910-2	AVG-1039	ruby	Medium	multiple issues

References
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

Notes
Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing.

Notes

Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing.