VDB

ALPINE-CVE-2019-16255

ALPINE-CVE-2019-16255 PUBLISHED CVSS 8.100000381469727 HIGH

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

Risk Scores

CVSS v3.1
8.100000381469727
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.7ruby2.4.6-r0, 0, 1.8.7_p160-r2
Alpine:v3.17ruby1.9.3_p385-r0, 2.6.4-r0, 2.6.3-r2
Alpine:v3.22ruby0, 0, 0
Alpine:v3.14ruby*, 2.4.1-r1, 2.4.3-r0
Alpine:v3.20ruby0, 0, 0
Alpine:v3.19ruby2.5.0-r1, 2.4.2-r1, 2.4.2-r0
Alpine:v3.11ruby1.9.3, 1.9.3, 1.9.3
Alpine:v3.10ruby2.5.1-r1, 0, 1.8.7_p160-r2
Alpine:v3.21ruby0, 0, 0
Alpine:v3.18ruby0, 1.8.7_p160-r2, 1.8.7_p174-r0
Alpine:v3.15ruby2.0.0_p195-r0, 2.0.0_p0-r1, 1.9.3_p392-r0
Alpine:v3.8ruby1.9.3, 0, 1.8.7_p160-r2
Alpine:v3.13ruby2.5.0-r0, 2.0.0_p247-r1, 2.0.0_p247-r2
Alpine:v3.16ruby2.6.4-r0, 1.8.7_p160-r2, 1.8.7_p160-r3
Alpine:v3.23ruby0, 0, 0
Alpine:v3.12ruby2.0.0_p247-r2, 2.0.0_p247-r3, 2.0.0_p353-r0
Alpine:v3.9ruby0, 1.8.7_p160-r2, 1.8.7_p174-r0

Timeline

  • Nov 26, 2019 CVE Published
  • Dec 3, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›