CVE-2019-16255 - log back

CVE-2019-16255 edited at 02 Oct 2019 11:59:08
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Arbitrary code execution
Description
+ It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is vulnerable to code injection. Shell#[] and its alias Shell#test defined in lib/shell.rb allow code injection if the first argument (aka the “command” argument) is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
References
+ https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
Notes
+ Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#[] is considered file testing.
CVE-2019-16255 created at 02 Oct 2019 11:37:12