CVE-2021-3779 (ruby-mysql): ruby-mysql Client File Read

ruby-mysql Client File Read

Published: June 28, 2022

SECURITY IDENTIFIERS

CVE: CVE-2021-3779 (NVD)
GHSA: GHSA-73pr-g6jj-5hc9
Vendor Advisory: https://www.rapid7.com/blog/post/2022/06/28/cve-2021-3779-ruby-mysql-gem-client-file-read-fixed/

GEM

ruby-mysql

SEVERITY

CVSS v3.x: 6.5 (Medium)

PATCHED VERSIONS

>= 2.10.0

DESCRIPTION

A malicious MySQL server can request local file content from a client using ruby-mysql prior to version 2.10.0 without explicit authorization from the user. This issue was resolved in version 2.10.0 and later.

https://github.com/rubysec/ruby-advisory-db/issues/507
https://my.diffend.io/gems/ruby-mysql/2.9.14/2.10.0#d2h-806753-331

RubySec