CVE-2021-21289

Name of the Vulnerable Software and Affected Versions: Mechanize versions 2.0.0 through 2.7.6

Description: Mechanize is an open-source ruby library that makes automated web interaction easy. Affected versions of Mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read body.

Recommendations: To resolve the issue, update to Mechanize version 2.7.7 or later. As a temporary workaround, consider avoiding the use of untrusted input as a local filename when calling the affected methods. Restrict access to the vulnerable classes and methods to minimize the risk of exploitation. Avoid using the affected methods with untrusted input until the issue is resolved.