Home > Vulnerability Database > CVE-2021-21289

Mend.io Vulnerability Database

CVE-2021-21289

Good to know:

Date: February 2, 2021

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.

Language: Ruby

Severity Score

7.4

Related Resources (16)

Url: https://rubygems.org/gems/mechanize/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/

Url: https://rubygems.org/gems/mechanize

Url: https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0

Url: https://security-tracker.debian.org/tracker/CVE-2021-21289

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-21289

Url: https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html

Url: https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7

Url: https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2021-21289.yml

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V

Url: https://security.gentoo.org/glsa/202107-17

Url: https://github.com/sparklemotion/mechanize

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/

Url: https://www.mend.io/vulnerability-database/CVE-2021-21289

Severity Score

7.4

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version mechanize - 2.7.7

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	7.6
Access Vector (AV):	NETWORK
Access Complexity (AC):	HIGH
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	COMPLETE
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-21289

Good to know:

Date: February 2, 2021

Language: Ruby

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?