CVE-2019-16255

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Ruby versions 2.4.7 and earlier, 2.5.x through 2.5.6, and 2.6.x through 2.6.4

Description The issue allows code injection if the first argument to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. This is due to incorrect neutralization of special elements in output used by an incoming component.

Recommendations For Ruby versions 2.4.7 and earlier, update to version 2.4.8. For Ruby versions 2.5.x through 2.5.6, update to version 2.5.7. For Ruby versions 2.6.x through 2.6.4, update to version 2.6.5. As a temporary workaround, consider validating and sanitizing the first argument to Shell#[] and Shell#test to prevent code injection.

Exploit

Fix

Code Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-74

Related Identifiers

ALSA-2021:2587

ALSA-2021:2588

ALT-PU-2020-1679

ALT-PU-2020-3411

ALT-PU-2021-3068

BDU:2020-00835

CESA-2021_2587

CESA-2021_2588

CVE-2019-16255

DLA-2007-1

DLA-2027-1

DLA-2330-1

DLA-3408-1

DSA-4586-1

DSA-4587-1

MGASA-2019-0408

MGASA-2020-0440

OPENSUSE-SU-2020:0395-1

OPENSUSE-SU-2020_0395-1

RHSA-2021:2104

RHSA-2021:2230

RHSA-2021:2587

RHSA-2021:2588

RHSA-2021_2587

RHSA-2021_2588

RHSA-2022:0581

RHSA-2022:0582

RLSA-2021:2587

RLSA-2021:2588

SUSE-SU-2020:0737-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-4201-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Red Hat

Rocky Linux

Ruby

Suse

Ubuntu

CVE-2019-16255

Weakness Enumeration

Related Identifiers

Affected Products

References · 367