CVE-2021-31799

NameCVE-2021-31799
DescriptionA command injection vulnerability in RDoc
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs990815

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.3 (PTS)stretch2.3.3-1+deb9u8vulnerable
stretch (security)2.3.3-1+deb9u9vulnerable
ruby2.5 (PTS)buster2.5.5-3+deb10u3vulnerable
buster (security)2.5.5-3+deb10u2vulnerable
ruby2.7 (PTS)bullseye, sid2.7.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby2.3source(unstable)(unfixed)
ruby2.5source(unstable)(unfixed)
ruby2.7source(unstable)2.7.4-1990815

Notes

Introduced in (rdoc): https://github.com/ruby/rdoc/commit/4a8b7bed7cd5647db92c620bc6f33e4c309d2212 (v3.11)
Fixed in (rdoc): https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7 (v6.3.1)
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://github.com/ruby/ruby/commit/b1c73f239fe9af97de837331849f55d67c27561e (master)
https://github.com/ruby/ruby/commit/483f303d02e768b69e476e0b9be4ab2f26389522 (2.7)

Search for package or bug name: Reporting problems