PT-2019-4652 · Ruby+8 · Ruby+8

Bengt Jonsson

Publicado

2019-07-27

Atualizado

2023-05-01

CVE-2019-16255

CVSS v2.0

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Ruby versions 2.4.7 and earlier, 2.5.x through 2.5.6, and 2.6.x through 2.6.4

Description The issue allows code injection if the first argument to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. This is due to incorrect neutralization of special elements in output used by an incoming component.

Recommendations For Ruby versions 2.4.7 and earlier, update to version 2.4.8. For Ruby versions 2.5.x through 2.5.6, update to version 2.5.7. For Ruby versions 2.6.x through 2.6.4, update to version 2.6.5. As a temporary workaround, consider validating and sanitizing the first argument to Shell#[] and Shell#test to prevent code injection.

Exploit

Correção

Code Injection

Special Elements Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94CWE-74

Identificadores relacionados

ALSA-2021:2587

ALSA-2021:2588

ALT-PU-2020-1679

ALT-PU-2020-3411

ALT-PU-2021-3068

BDU:2020-00835

CESA-2021_2587

CESA-2021_2588

CVE-2019-16255

DLA-2007-1

DLA-2027-1

DLA-2330-1

DLA-3408-1

DSA-4586-1

DSA-4587-1

MGASA-2019-0408

MGASA-2020-0440

OPENSUSE-SU-2020:0395-1

OPENSUSE-SU-2020_0395-1

RHSA-2021:2104

RHSA-2021:2230

RHSA-2021:2587

RHSA-2021:2588

RHSA-2021_2587

RHSA-2021_2588

RHSA-2022:0581

RHSA-2022:0582

RLSA-2021:2587

RLSA-2021:2588

SUSE-SU-2020:0737-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-4201-1

Produtos afetados

Alt Linux

Almalinux

Astra Linux

Centos

Red Hat

Rocky Linux

Ruby

Suse

Ubuntu

PT-2019-4652 · Ruby+8 · Ruby+8

CVE-2019-16255

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 367