CVE-2021-31799 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Arbitrary command execution |
| Description | RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4 and 2.6.8 as well as GitLab before version 14.0.2, used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2140 | ruby2.6 | 2.6.7-1 | 2.6.8-1 | High | Fixed | |
| AVG-2125 | gitlab | 14.0.1-1 | 14.0.3-1 | High | Fixed | |
| AVG-1906 | jruby | 9.2.19.0-1 | 9.3.0.0-1 | High | Fixed | |
| AVG-1905 | gitlab-gitaly | 14.2.1-1 | 14.2.2-1 | Medium | Fixed | |
| AVG-1901 | ruby-rdoc | 6.3.0-3 | 6.3.1-1 | Medium | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 14 Jul 2021 | ASA-202107-25 | AVG-2140 | ruby2.6 | High | multiple issues |
| 06 Jul 2021 | ASA-202107-18 | AVG-2125 | gitlab | High | multiple issues |