CVE-2019-16255

CVSS v3.1 8.1 (High)

CVSS v2.0 6.8 (Medium)

EPSS 0.94 % (83^th)

Affected Products 4

Advisories 21

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

Weaknesses

CWE-94: Improper Control of Generation of Code ('Code Injection')

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2019-11-26 18:15:15
(4 years ago)
Updated Date: 2023-04-30 23:15:44
(16 months ago)

Affected Products

Configuration #1

	CPE23	From	Up To
Ruby-lang Ruby from 2.4.0 version and 2.4.7 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.4.0	<= 2.4.7
Ruby-lang Ruby from 2.5.0 version and 2.5.6 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.5.0	<= 2.5.6
Ruby-lang Ruby from 2.6.0 version and 2.6.4 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.6.0	<= 2.6.4

Configuration #2

		CPE23	From	Up To
	Debian Linux 8.0	cpe:2.3:o:debian:debian_linux:8.0
	Debian Linux 9.0	cpe:2.3:o:debian:debian_linux:9.0

Configuration #3

		CPE23	From	Up To
	Opensuse Leap 15.1	cpe:2.3:o:opensuse:leap:15.1

Configuration #4

		CPE23	From	Up To
	Oracle Graalvm 19.3.0.2	cpe:2.3:a:oracle:graalvm:19.3.0.2:::*:enterprise

Weaknesses

Affected Products

Debian

Opensuse

Oracle

Ruby-lang

Configuration #1

Configuration #2

Configuration #3

Configuration #4