En

Ruby官网安全更新(2021-05-02)

来源:Ruby官网 发布日期:2021-05-02 阅读次数:3090 评论:0

基本信息

发布日期:2021-05-02(官方当地时间)

更新类型:安全更新

更新版本:未知

感知时间:2021-05-02 22:35:06

风险等级:未知

情报贡献:TSRC

更新标题

CVE-2021-31799: A command injection vulnerability in RDoc

更新详情

There is a vulnerability about Command Injection in RDoc which is bundled in Ruby.
It is recommended that all Ruby users update RDoc to the latest version that fixes this issue.

Details

The following vulnerability has been reported.


CVE-2021-31799


RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

Ruby users whose version of RDoc is affected by this issue should update to the latest version of RDoc.

Affected Versions


All releases of RDoc from 3.11 to 6.3.0


How to Update

Run the following command to update RDoc to the latest version (6.3.1 or later) to fix the vulnerability.

gem install rdoc


Credits

Thanks to Alexandr Savca for reporting the issue.

History


Originally published at 2021-05-02 09:00:00 UTC


Posted by aycabta on 2 May 2021

软件描述

Ruby,一种简单快捷的面向对象(面向对象程序设计)脚本语言,在20世纪90年代由日本人松本行弘(Yukihiro Matsumoto)开发,遵守GPL协议和Ruby License.

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入