CVSS v3.x: 7.4 (High)
- < 2.0
- >= 2.7.7
< v2.7.7 allows for OS commands to be injected using several
classes’ methods which implicitly use Ruby’s
Kernel.open method. Exploitation is
possible only if untrusted input is used as a local filename and passed to any of
- Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
- Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
- Mechanize#download: since v2.2 (see dc91667)
- Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
- Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
- Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)
These vulnerabilities are patched in Mechanize v2.7.7.
No workarounds are available. We recommend upgrading to v2.7.7 or later.
See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background
Kernel.open should not be used with untrusted input.