CVE-2021-21289

NameCVE-2021-21289
DescriptionMechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2561-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-mechanize (PTS)bullseye2.7.7-1fixed
bookworm2.8.5-1fixed
sid, trixie2.10.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-mechanizesourcestretch2.7.5-1+deb9u1DLA-2561-1
ruby-mechanizesourcebuster2.7.6-1+deb10u1
ruby-mechanizesource(unstable)2.7.7-1

Notes

https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
https://github.com/sparklemotion/mechanize/commit/aae0b13514a1a0caf93b1cf233733c50e679069a (v2.7.7)
https://github.com/sparklemotion/mechanize/commit/2ac906b26f4a565a0af92df5fb9c8a36c2b75375 (v2.7.7)
https://github.com/sparklemotion/mechanize/commit/f43a3952ab39341136656b0a8b2c8597ba1b4adc (v2.7.7)
https://github.com/sparklemotion/mechanize/commit/b48b12f5db33c5a94a14dfcab8adf3e73cfa0388 (v2.7.7)
https://github.com/sparklemotion/mechanize/commit/63f8779e49664d5e95fae8d42d04c8e373162b3c (v2.7.7)
Test warnings fixup: https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093 (v2.7.7)

Search for package or bug name: Reporting problems