VDB
CVE-2021-21289
CVE-2021-21289
PUBLISHED
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
EPSS 2.50% · 85.6th percentile
Risk Scores
EPSS Score
2.50%
85.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | ruby-mechanize | 0, 2.7.6-1 |
| Ubuntu:22.04:LTS | ruby-mechanize | 2.7.7-1, 2.7.7-3, 0 |
| Ubuntu:16.04:LTS | ruby-mechanize | 0, 2.7.3-1 |
| Ubuntu:18.04:LTS | ruby-mechanize | 0, 2.7.5-1, 2.7.5-2 |
Exploit Intelligence
- https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g (circl)
- https://rubygems.org/gems/mechanize/ (circl)
- https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7 (circl)
- https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0 (circl)
- FEDORA-2021-24fdc228e4 (circl)
- FEDORA-2021-db8ebc547e (circl)
- [debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update (circl)
- GLSA-202107-17 (circl)
Timeline
- Feb 2, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-21289 third-party-advisory
- https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g third-party-advisory
- https://github.com/sparklemotion/mechanize/commit/aae0b13514a1a0caf93b1cf233733c50e679069a third-party-advisory
- https://github.com/sparklemotion/mechanize/commit/2ac906b26f4a565a0af92df5fb9c8a36c2b75375 third-party-advisory
- https://github.com/sparklemotion/mechanize/commit/f43a3952ab39341136656b0a8b2c8597ba1b4adc third-party-advisory
- https://github.com/sparklemotion/mechanize/commit/b48b12f5db33c5a94a14dfcab8adf3e73cfa0388 third-party-advisory
- https://github.com/sparklemotion/mechanize/commit/63f8779e49664d5e95fae8d42d04c8e373162b3c third-party-advisory
- https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0 third-party-advisory
- https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7 third-party-advisory
- https://rubygems.org/gems/mechanize/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-21289 third-party-advisory