[GLSA-202401-05] RDoc: Command Injection
A vulnerability has been found in RDoc which allows for command injection.
Background
RDoc produces HTML and command-line documentation for Ruby projects.
Description
A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details.
Impact
RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
Workaround
There is no known workaround at this time.
Resolution
All RDoc users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.3.2"
Package | Affected Version |
---|---|
pkg:ebuild/dev-ruby/rdoc?distro=gentoo | < 6.3.2 |
Package | Unaffected Version |
---|---|
pkg:ebuild/dev-ruby/rdoc?distro=gentoo | >= 6.3.2 |
- ID
- GLSA-202401-05
- Severity
- normal
- URL
- https://security.gentoo.org/glsa/202401-05
- Published
-
2024-01-05T00:00:00
(8 months ago) - Modified
-
2024-01-05T00:00:00
(8 months ago) - Rights
- Gentoo Foundation, Inc.
- Other Advisories
-
- ALAS-2021-1505
- ALAS-2021-1506
- ALAS2-2021-1641
- ALPINE:CVE-2021-31799
- ALSA-2021:3020
- ALSA-2022:0543
- ALSA-2022:0672
- ASA-202107-18
- DSA-5066-1
- ELSA-2021-3020
- ELSA-2022-0543
- ELSA-2022-0672
- FEDORA-2021-36cdab1f8d
- FREEBSD:57027417-AB7F-11EB-9596-080027F515EA
- FREEBSD:7ED5779C-E4C7-11EB-91D7-08002728F74C
- openSUSE-SU-2021:1535-1
- openSUSE-SU-2021:3838-1
- RHSA-2021:3020
- RHSA-2022:0543
- RHSA-2022:0672
- RLSA-2021:3020
- RLSA-2022:0543
- RLSA-2022:0672
- RUBYSEC:RDOC-2021-31799
- SUSE-SU-2021:3837-1
- SUSE-SU-2021:3838-1
- SUSE-SU-2022:1512-1
- USN-5020-1
Source | # ID | Name | URL |
---|---|---|---|
CVE | CVE-2021-31799 | CVE-2021-31799 | https://nvd.nist.gov/vuln/detail/CVE-2021-31799 |
Bugzilla | 801301 | Bugzilla #801301 | https://bugs.gentoo.org/show_bug.cgi?id=801301 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |