CVE-2021-31799 log

Severity Medium
Remote Yes
Type Arbitrary command execution
RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4 and 2.6.8 as well as GitLab before version 14.0.2, used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
Group Package Affected Fixed Severity Status Ticket
AVG-2140 ruby2.6 2.6.7-1 2.6.8-1 High Fixed
AVG-2125 gitlab 14.0.1-1 14.0.3-1 High Fixed
AVG-1906 jruby High Fixed
AVG-1905 gitlab-gitaly 14.2.1-1 14.2.2-1 Medium Fixed
AVG-1901 ruby-rdoc 6.3.0-3 6.3.1-1 Medium Fixed
Date Advisory Group Package Severity Type
14 Jul 2021 ASA-202107-25 AVG-2140 ruby2.6 High multiple issues
06 Jul 2021 ASA-202107-18 AVG-2125 gitlab High multiple issues