CVE-2021-31799 (rdoc): RDoc OS command injection vulnerability

ADVISORIES

CVE-2021-31799 (NVD)
GHSA-ggxm-pgc9-g7fp
Vendor Advisory

GEM

rdoc

SEVERITY

CVSS v3.x: 7.0 (High)

UNAFFECTED VERSIONS

< 3.11.0

PATCHED VERSIONS

~> 6.1.2.1
~> 6.2.1.1
>= 6.3.1

DESCRIPTION

RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

RubySec