CVE-2021-31799 — HIGH (7.0)

Q: What is CVE-2021-31799?

CVE-2021-31799 is a vulnerability with a CVSS score of 7.0 (HIGH). In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

Q: How severe is CVE-2021-31799?

CVE-2021-31799 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-31799?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Ruby-Lang Rdoc, Ruby-Lang Ruby, Oracle Jd Edwards Enterpriseone Tools.

Vulnerability Description

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

CVSS Score

7.0

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	9.0
Ruby-Lang	Rdoc	>= 3.11, < 6.3.1
Ruby-Lang	Ruby	<= 3.0.1
Oracle	Jd Edwards Enterpriseone Tools	< 9.2.6.1

Related Weaknesses (CWE)

CWE-78

References

https://lists.debian.org/debian-lts-announce/2021/10/msg00009.htmlThird Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-31799Third Party Advisory
https://security.gentoo.org/glsa/202401-05
https://security.netapp.com/advisory/ntap-20210902-0004/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/PatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00009.htmlThird Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-31799Third Party Advisory
https://security.gentoo.org/glsa/202401-05
https://security.netapp.com/advisory/ntap-20210902-0004/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/PatchVendor Advisory

FAQ

What is CVE-2021-31799?

CVE-2021-31799 is a vulnerability with a CVSS score of 7.0 (HIGH). In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

How severe is CVE-2021-31799?

CVE-2021-31799 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-31799?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Ruby-Lang Rdoc, Ruby-Lang Ruby, Oracle Jd Edwards Enterpriseone Tools.