Vulnerability Description
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mechanize Project | Mechanize | >= 2.0, < 2.7.7 |
| Fedoraproject | Fedora | 32 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e544PatchThird Party Advisory
- https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7Release NotesThird Party Advisory
- https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6rThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/02/msg00021.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://rubygems.org/gems/mechanize/ProductThird Party Advisory
- https://security.gentoo.org/glsa/202107-17Third Party Advisory
- https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e544PatchThird Party Advisory
- https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7Release NotesThird Party Advisory
- https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6rThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/02/msg00021.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://rubygems.org/gems/mechanize/ProductThird Party Advisory
FAQ
What is CVE-2021-21289?
CVE-2021-21289 is a vulnerability with a CVSS score of 7.4 (HIGH). Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versio...
How severe is CVE-2021-21289?
CVE-2021-21289 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21289?
Check the references section above for vendor advisories and patch information. Affected products include: Mechanize Project Mechanize, Fedoraproject Fedora, Debian Debian Linux.