CVE-2021-31799 log

Severity Medium
Remote Yes
Type Arbitrary command execution
RDoc before version 6.3.1 used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
Group Package Affected Fixed Severity Status Ticket
AVG-1906 jruby Medium Vulnerable
AVG-1905 gitlab-gitaly 13.11.3-1 Medium Vulnerable
AVG-1904 gitlab 13.11.3-1 Medium Vulnerable
AVG-1903 ruby2.6 2.6.7-1 Medium Vulnerable
AVG-1902 ruby2.7 2.7.3-1 Medium Vulnerable
AVG-1901 ruby-rdoc 6.3.0-3 6.3.1-1 Medium Fixed