Arbitrary Code Execution Vulnerability in RDoc by Ruby
CVE-2021-31799

7HIGH

Key Information:

Vendor: Debian
Status: Debian Linux
Vendor: CVE Published:; 30 July 2021

Summary

In RDoc versions 3.11 through 6.x prior to 6.3.1, bundled with Ruby 3.0.1, an attacker can exploit the ability to include special characters such as | and tags in filenames, leading to the possibility of arbitrary code execution. This vulnerability allows unauthorized operations to be executed on the system, potentially compromising the security of the application using RDoc.

References

https://lists.debian.org/debian-lts-announce/2021/10/msg0...

mailing-list

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.ruby-lang.org/en/news/2021/05/02/os-command-i...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 30, 2021
Vulnerability Reserved
Apr 25, 2021