CVE-2021-21289

Name	CVE-2021-21289
Description	Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2561-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby-mechanize (PTS)	bullseye	2.7.7-1	fixed
	bookworm	2.8.5-1	fixed
	sid, trixie	2.10.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
ruby-mechanize	source	stretch	2.7.5-1+deb9u1	DLA-2561-1
ruby-mechanize	source	buster	2.7.6-1+deb10u1
ruby-mechanize	source	(unstable)	2.7.7-1

Notes

https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
https://github.com/sparklemotion/mechanize/commit/aae0b13514a1a0caf93b1cf233733c50e679069a (v2.7.7)
https://github.com/sparklemotion/mechanize/commit/2ac906b26f4a565a0af92df5fb9c8a36c2b75375 (v2.7.7)
https://github.com/sparklemotion/mechanize/commit/f43a3952ab39341136656b0a8b2c8597ba1b4adc (v2.7.7)
https://github.com/sparklemotion/mechanize/commit/b48b12f5db33c5a94a14dfcab8adf3e73cfa0388 (v2.7.7)
https://github.com/sparklemotion/mechanize/commit/63f8779e49664d5e95fae8d42d04c8e373162b3c (v2.7.7)
Test warnings fixup: https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093 (v2.7.7)