Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: rexical
date: 2019-08-11
url: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
cve: 2019-5477
title: Rexical Command Injection Vulnerability
description: |
  A command injection vulnerability appears in code generated by the Rexical
  gem versions v1.0.6 and earlier. It allows commands to be executed in a
  subprocess by Ruby's `Kernel.open` method.
cvss_v2: '7.5'
cvss_v3: '9.8'
patched_versions:
- ">= 1.0.7"
related:
  url: '["https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06",
    "https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ"]'