The Mechanize rubygem v2.7.7 was released on 2021-02-01 which contains a
fix for CVE-2021-21289, fully described at
Command Injection Vulnerability · Advisory · sparklemotion/mechanize · GitHub.
That security advisory is reproduced here for your convenience.
Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected using
several classes' methods which implicitly use Ruby's Kernel.open method.
Exploitation is possible only if untrusted input is used as a local
filename and passed to any of these calls:
- Mechanize::CookieJar#load: since v2.0 (see 208e3ed
<Only cleanup cookies once when adding many cookies from a file. GH #38 · sparklemotion/mechanize@208e3ed · GitHub>
- Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4
<Add session cookies · sparklemotion/mechanize@5b776a4 · GitHub>
- Mechanize#download: since v2.2 (see dc91667
<Added Mechanize#download · sparklemotion/mechanize@dc91667 · GitHub>
- Mechanize::Download#save and #save! since v2.1 (see 98b2f51
<Add streaming of response bodies to disk and Mechanize::Download to s… · sparklemotion/mechanize@98b2f51 · GitHub>
<Update download.rb · sparklemotion/mechanize@bd62ff0 · GitHub>
- Mechanize::File#save and #save_as: since v2.1 (see 2bf7519
<Undent Mechanize::File · sparklemotion/mechanize@2bf7519 · GitHub>
- Mechanize::FileResponse#read_body: since v2.0 (see 01039f5
<Read file URIs in binary mode · sparklemotion/mechanize@01039f5 · GitHub>
These vulnerabilities are patched in Mechanize v2.7.7.
No workarounds are available. We recommend upgrading to v2.7.7 or later.
See Security :: RuboCop Docs for
background on why Kernel.open should not be used with untrusted input.
For more information
If you have any questions or comments about this advisory, please open an
issue in sparklemotion/mechanize
This security advisory has been created for public disclosure of a Command
Injection vulnerability that was responsibly reported by @kyoshidajp
<kyoshidajp (YOSHIDA Katsuhiko) · GitHub> (Katsuhiko YOSHIDA).