CVE-2021-31799 - log back

CVE-2021-31799 edited at 08 Jul 2021 20:48:12
Description
- RDoc before version 6.3.1, as bundled with GitLab before version 14.0.2, used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
+ RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4 and 2.6.8 as well as GitLab before version 14.0.2, used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
CVE-2021-31799 edited at 08 Jul 2021 20:46:23
References
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7
+ https://github.com/ruby/ruby/commit/483f303d02e768b69e476e0b9be4ab2f26389522
+ https://github.com/ruby/ruby/commit/fe3c49c9baeeab58304ede915b7edd18ecf360fc
CVE-2021-31799 edited at 07 Jul 2021 19:47:44
References
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
- https://my.diffend.io/gems/rdoc/6.3.0/6.3.1/page/3#d2h-455330
+ https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7
CVE-2021-31799 edited at 06 Jul 2021 17:53:18
Description
- RDoc before version 6.3.1 used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
+ RDoc before version 6.3.1, as bundled with GitLab before version 14.0.2, used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
CVE-2021-31799 edited at 02 May 2021 17:51:28
References
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
+ https://my.diffend.io/gems/rdoc/6.3.0/6.3.1/page/3#d2h-455330
CVE-2021-31799 edited at 02 May 2021 17:39:39
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Arbitrary command execution
Description
+ RDoc before version 6.3.1 used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
References
+ https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
Notes
CVE-2021-31799 created at 02 May 2021 17:34:03