GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu Jul 08, 2021 7:26 am Post subject: [ GLSA 202107-17 ] Mechanize |
 |
|
Gentoo Linux Security Advisory
Title: Mechanize: Command injection (GLSA 202107-17)
Severity: high
Exploitable: local, remote
Date: 2021-07-08
Bug(s): #768609
ID: 202107-17
Synopsis
A file named by an attacker being utilized by Mechanize could
result in arbitrary code execution.
Background
Mechanize is a Ruby library used for automating interaction with
websites.
Affected Packages
Package: dev-ruby/mechanize
Vulnerable: < 2.7.7
Unaffected: >= 2.7.7
Architectures: All supported architectures
Description
Mechanize does not neutralize filename input and could allow arbitrary
code execution if an attacker can control filenames used by Mechanize.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Mechanize users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/mechanize-2.7.7"
|
References
CVE-2021-21289
Last edited by GLSA on Sat Jan 22, 2022 4:35 am; edited 2 times in total |
|
News & Announcements
