ADVISORIES
GEM
SEVERITY
CVSS v3.x: 7.4 (High)
UNAFFECTED VERSIONS
- < 2.0
PATCHED VERSIONS
- >= 2.7.7
DESCRIPTION
Impact
Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected using several
classes’ methods which implicitly use Ruby’s Kernel.open method. Exploitation is
possible only if untrusted input is used as a local filename and passed to any of
these calls:
- Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
- Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
- Mechanize#download: since v2.2 (see dc91667)
- Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
- Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
- Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)
Patches
These vulnerabilities are patched in Mechanize v2.7.7.
Workarounds
No workarounds are available. We recommend upgrading to v2.7.7 or later.
References
See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background
on why Kernel.open should not be used with untrusted input.