RubySec

Providing security resources for the Ruby community

CVE-2019-5477 (rexical): Rexical Command Injection Vulnerability

ADVISORIES

GEM

rexical

SEVERITY

CVSS v3: 9.8 (Critical)

CVSS v2: 7.5 (High)

PATCHED VERSIONS

  • >= 1.0.7

DESCRIPTION

A command injection vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. It allows commands to be executed in a subprocess by Ruby’s Kernel.open method.