CVE-2021-21289

HIGH Year: 2021
CVSS v3 Score
8.3
High
CVSS v2 Score
7.6
High
Weakness Type
CWE-78
View all →

Vulnerability Description

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.

Related Vulnerabilities

CVE-2022-1813

HIGH
CVSS:8.3(High)

OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0.

CWE-782022

CVE-2023-3975

HIGH
CVSS:8.3(High)

OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.

CWE-782023

CVE-2024-22423

HIGH
CVSS:8.3(High)

yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two doubl...

CWE-782024

CVE-2024-42370

HIGH
CVSS:8.3(High)

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar's `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may le...

CWE-782024

CVE-2024-8684

HIGH
CVSS:8.3(High)

OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via ...

CWE-782024

CVE-2017-6970

HIGH
CVSS:8.4(High)

AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow local users to execute arbitrary commands in a privileged context via an NfSen socket, aka AlienVault ID ENG-104863.

CWE-782017