Vulnerability-Lookup

CVE-2021-21289 (GCVE-0-2021-21289)

Vulnerability from cvelistv5 – Published: 2021-02-02 18:50 – Updated: 2024-08-03 18:09

Title

Command Injection Vulnerability in Mechanize

Summary

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/sparklemotion/mechanize/securi…	x_refsource_CONFIRM
	https://rubygems.org/gems/mechanize/	x_refsource_MISC
	https://github.com/sparklemotion/mechanize/releas…	x_refsource_MISC
	https://github.com/sparklemotion/mechanize/commit…	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST
	https://security.gentoo.org/glsa/202107-17	vendor-advisoryx_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	sparklemotion	mechanize	Affected: >= 2.0, < 2.7.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:15.157Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rubygems.org/gems/mechanize/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
          },
          {
            "name": "FEDORA-2021-24fdc228e4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
          },
          {
            "name": "FEDORA-2021-db8ebc547e",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
          },
          {
            "name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
          },
          {
            "name": "GLSA-202107-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mechanize",
          "vendor": "sparklemotion",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0, \u003c 2.7.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-08T06:07:13.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rubygems.org/gems/mechanize/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
        },
        {
          "name": "FEDORA-2021-24fdc228e4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
        },
        {
          "name": "FEDORA-2021-db8ebc547e",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
        },
        {
          "name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
        },
        {
          "name": "GLSA-202107-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-17"
        }
      ],
      "source": {
        "advisory": "GHSA-qrqm-fpv6-6r8g",
        "discovery": "UNKNOWN"
      },
      "title": "Command Injection Vulnerability in Mechanize",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21289",
          "STATE": "PUBLIC",
          "TITLE": "Command Injection Vulnerability in Mechanize"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "mechanize",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 2.0, \u003c 2.7.7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "sparklemotion"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g",
              "refsource": "CONFIRM",
              "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
            },
            {
              "name": "https://rubygems.org/gems/mechanize/",
              "refsource": "MISC",
              "url": "https://rubygems.org/gems/mechanize/"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7",
              "refsource": "MISC",
              "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0",
              "refsource": "MISC",
              "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
            },
            {
              "name": "FEDORA-2021-24fdc228e4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
            },
            {
              "name": "FEDORA-2021-db8ebc547e",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
            },
            {
              "name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
            },
            {
              "name": "GLSA-202107-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-17"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-qrqm-fpv6-6r8g",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21289",
    "datePublished": "2021-02-02T18:50:13.000Z",
    "dateReserved": "2020-12-22T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:09:15.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GSD-2021-21289

Vulnerability from gsd - Updated: 2021-02-01 00:00

Details

## Impact Mechanize `>= v2.0`, `< v2.7.7` allows for OS commands to be injected using several classes' methods which implicitly use Ruby's `Kernel.open` method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: * Mechanize::CookieJar#load: since v2.0 (see 208e3ed) * Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4) * Mechanize#download: since v2.2 (see dc91667) * Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0) * Mechanize::File#save and #save_as: since v2.1 (see 2bf7519) * Mechanize::FileResponse#read_body: since v2.0 (see 01039f5) ## Patches These vulnerabilities are patched in Mechanize v2.7.7. ## Workarounds No workarounds are available. We recommend upgrading to v2.7.7 or later. ## References See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why `Kernel.open` should not be used with untrusted input.

Aliases

CVE-2021-21289

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21289",
    "description": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.",
    "id": "GSD-2021-21289",
    "references": [
      "https://advisories.mageia.org/CVE-2021-21289.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "mechanize",
            "purl": "pkg:gem/mechanize"
          }
        }
      ],
      "aliases": [
        "CVE-2021-21289",
        "GHSA-qrqm-fpv6-6r8g"
      ],
      "details": "## Impact\n\nMechanize `\u003e= v2.0`, `\u003c v2.7.7` allows for OS commands to be injected using several\nclasses\u0027 methods which implicitly use Ruby\u0027s `Kernel.open` method. Exploitation is\npossible only if untrusted input is used as a local filename and passed to any of\nthese calls:\n\n* Mechanize::CookieJar#load: since v2.0 (see 208e3ed)\n* Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)\n* Mechanize#download: since v2.2 (see dc91667)\n* Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)\n* Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)\n* Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)\n\n## Patches\n\nThese vulnerabilities are patched in Mechanize v2.7.7.\n\n## Workarounds\n\nNo workarounds are available. We recommend upgrading to v2.7.7 or later.\n\n## References\n\nSee https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background\non why `Kernel.open` should not be used with untrusted input.",
      "id": "GSD-2021-21289",
      "modified": "2021-02-01T00:00:00.000Z",
      "published": "2021-02-01T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.4,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Mechanize ruby gem Command Injection vulnerability"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-21289",
        "STATE": "PUBLIC",
        "TITLE": "Command Injection Vulnerability in Mechanize"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "mechanize",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 2.0, \u003c 2.7.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "sparklemotion"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g",
            "refsource": "CONFIRM",
            "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
          },
          {
            "name": "https://rubygems.org/gems/mechanize/",
            "refsource": "MISC",
            "url": "https://rubygems.org/gems/mechanize/"
          },
          {
            "name": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7",
            "refsource": "MISC",
            "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
          },
          {
            "name": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0",
            "refsource": "MISC",
            "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
          },
          {
            "name": "FEDORA-2021-24fdc228e4",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
          },
          {
            "name": "FEDORA-2021-db8ebc547e",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
          },
          {
            "name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
          },
          {
            "name": "GLSA-202107-17",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202107-17"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qrqm-fpv6-6r8g",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-21289",
      "cvss_v3": 7.4,
      "date": "2021-02-01",
      "description": "## Impact\n\nMechanize `\u003e= v2.0`, `\u003c v2.7.7` allows for OS commands to be injected using several\nclasses\u0027 methods which implicitly use Ruby\u0027s `Kernel.open` method. Exploitation is\npossible only if untrusted input is used as a local filename and passed to any of\nthese calls:\n\n* Mechanize::CookieJar#load: since v2.0 (see 208e3ed)\n* Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)\n* Mechanize#download: since v2.2 (see dc91667)\n* Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)\n* Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)\n* Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)\n\n## Patches\n\nThese vulnerabilities are patched in Mechanize v2.7.7.\n\n## Workarounds\n\nNo workarounds are available. We recommend upgrading to v2.7.7 or later.\n\n## References\n\nSee https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background\non why `Kernel.open` should not be used with untrusted input.",
      "gem": "mechanize",
      "ghsa": "qrqm-fpv6-6r8g",
      "patched_versions": [
        "\u003e= 2.7.7"
      ],
      "title": "Mechanize ruby gem Command Injection vulnerability",
      "unaffected_versions": [
        "\u003c 2.0"
      ],
      "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.0 \u003c2.7.7",
          "affected_versions": "All versions starting from 2.0 before 2.7.7",
          "cvss_v2": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2022-04-26",
          "description": "Mechanize is an open-source ruby library that makes automated web interaction easy.",
          "fixed_versions": [
            "2.7.7"
          ],
          "identifier": "CVE-2021-21289",
          "identifiers": [
            "CVE-2021-21289",
            "GHSA-qrqm-fpv6-6r8g"
          ],
          "not_impacted": "All versions before 2.0, all versions starting from 2.7.7",
          "package_slug": "gem/mechanize",
          "pubdate": "2021-02-02",
          "solution": "Upgrade to version 2.7.7 or above.",
          "title": "OS Command Injection",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21289"
          ],
          "uuid": "3c307d5f-76e6-4f41-a694-f65cc20c070a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.7.7",
                "versionStartIncluding": "2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21289"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                },
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://rubygems.org/gems/mechanize/",
              "refsource": "MISC",
              "tags": [
                "Product",
                "Third Party Advisory"
              ],
              "url": "https://rubygems.org/gems/mechanize/"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
            },
            {
              "name": "FEDORA-2021-24fdc228e4",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
            },
            {
              "name": "FEDORA-2021-db8ebc547e",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
            },
            {
              "name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
            },
            {
              "name": "GLSA-202107-17",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202107-17"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.6,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 6.0
        }
      },
      "lastModifiedDate": "2022-04-26T15:07Z",
      "publishedDate": "2021-02-02T19:15Z"
    }
  }
}

FKIE_CVE-2021-21289

Vulnerability from fkie_nvd - Published: 2021-02-02 19:15 - Updated: 2024-11-21 05:47

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g	Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html	Mailing List, Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/
security-advisories@github.com	https://rubygems.org/gems/mechanize/	Product, Third Party Advisory
security-advisories@github.com	https://security.gentoo.org/glsa/202107-17	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/
af854a3a-2127-422b-91ae-364da2661108	https://rubygems.org/gems/mechanize/	Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202107-17	Third Party Advisory

Impacted products

Vendor	Product	Version
mechanize_project	mechanize	*
fedoraproject	fedora	32
fedoraproject	fedora	33
debian	debian_linux	9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "3F476565-B5B7-4547-812E-F9428E9FA312",
              "versionEndExcluding": "2.7.7",
              "versionStartIncluding": "2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
              "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
              "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
    },
    {
      "lang": "es",
      "value": "Mechanize es una biblioteca de ruby ??de c\u00f3digo abierto que facilita la interacci\u00f3n web automatizada.\u0026#xa0;En Mechanize desde versi\u00f3n 2.0.0 y versiones anteriores a 2.7.7, se presenta una vulnerabilidad de inyecci\u00f3n de comandos.\u0026#xa0;Las versiones afectadas de mechanize permiten a unos comandos del Sistema Operativo ser inyectados usando m\u00e9todos de varias clases que impl\u00edcitamente usan el m\u00e9todo Kernel.open de Ruby.\u0026#xa0;Una explotaci\u00f3n es posible solo si es usada una entrada que no sea confiable como nombre de archivo local y sea pasada a cualquiera de estas llamadas: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save y Mechanize::FileResponse#read_body.\u0026#xa0;Esto es corregido en versi\u00f3n 2.7.7"
    }
  ],
  "id": "CVE-2021-21289",
  "lastModified": "2024-11-21T05:47:56.533",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.6,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-02T19:15:14.220",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://rubygems.org/gems/mechanize/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202107-17"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://rubygems.org/gems/mechanize/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202107-17"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-QRQM-FPV6-6R8G

Vulnerability from github – Published: 2021-02-02 18:50 – Updated: 2022-04-27 20:24

Summary

Command Injection Vulnerability in Mechanize

Details

This security advisory has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).

Impact

Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
Mechanize#download: since v2.2 (see dc91667)
Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

Patches

These vulnerabilities are patched in Mechanize v2.7.7.

Workarounds

No workarounds are available. We recommend upgrading to v2.7.7 or later.

References

See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why Kernel.open should not be used with untrusted input.

For more information

If you have any questions or comments about this advisory, please open an issue in sparklemotion/mechanize.

Severity ?

7.4 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "mechanize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21289"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-02T18:50:15Z",
    "nvd_published_at": "2021-02-02T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "This security advisory has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).\n\n### Impact\n\nMechanize `\u003e= v2.0`, `\u003c v2.7.7` allows for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s `Kernel.open` method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:\n\n- `Mechanize::CookieJar#load`: since v2.0 (see 208e3ed)\n- `Mechanize::CookieJar#save_as`: since v2.0 (see 5b776a4)\n- `Mechanize#download`: since v2.2 (see dc91667)\n- `Mechanize::Download#save` and `#save!` since v2.1 (see 98b2f51, bd62ff0)\n- `Mechanize::File#save` and `#save_as`: since v2.1 (see 2bf7519)\n- `Mechanize::FileResponse#read_body`: since v2.0 (see 01039f5)\n\n\n### Patches\n\nThese vulnerabilities are patched in Mechanize v2.7.7.\n\n\n### Workarounds\n\nNo workarounds are available. We recommend upgrading to v2.7.7 or later.\n\n\n### References\n\nSee https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background on why `Kernel.open` should not be used with untrusted input.\n\n\n### For more information\n\nIf you have any questions or comments about this advisory, please open an issue in [sparklemotion/mechanize](https://github.com/sparklemotion/mechanize/issues/new).",
  "id": "GHSA-qrqm-fpv6-6r8g",
  "modified": "2022-04-27T20:24:21Z",
  "published": "2021-02-02T18:50:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21289"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2021-21289.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/mechanize"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V"
    },
    {
      "type": "WEB",
      "url": "https://rubygems.org/gems/mechanize"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Command Injection Vulnerability in Mechanize"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-21289 (GCVE-0-2021-21289)

GSD-2021-21289

FKIE_CVE-2021-21289

GHSA-QRQM-FPV6-6R8G

Impact

Patches

Workarounds

References

For more information

Tags

Sightings

Nomenclature