| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Arbitrary code execution |
|
| Description |
| + |
It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is vulnerable to code injection. Shell#[] and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the “command” argument) is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. |
|
| References |
| + |
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ |
|
| Notes |
| + |
Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing. |
|