CVE-2019-5477 (rexical): Rexical Command Injection Vulnerability

Rexical Command Injection Vulnerability

Published: August 11, 2019

SECURITY IDENTIFIERS

CVE: CVE-2019-5477 (NVD)
GHSA: GHSA-cr5j-953j-xw5p
Vendor Advisory: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926

GEM

rexical

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

>= 1.0.7

DESCRIPTION

A command injection vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. It allows commands to be executed in a subprocess by Ruby's Kernel.open method.

https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06
https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ

RubySec