← back
CVE-2021-21289

Command Injection Vulnerability in Mechanize

CVSS 7.4 HIGHEPSS 3.5%CWE-78
In short

Mechanize, a Ruby library for web automation, has a vulnerability where attackers can run system commands if untrusted file names are used with certain file-saving functions. This happens because the library doesn't properly validate file paths before opening them.

Technical detail

Command injection vulnerability (CWE-78) in Mechanize versions 2.0.0–2.7.6 exploitable via unsafe handling of file paths in Kernel.open calls across CookieJar#load, CookieJar#save_as, download, Download#save, File#save, and FileResponse#read_body methods. Attack vector requires attacker-controlled filename input; impact includes arbitrary OS command execution with application privileges.

Summary generated and translated by AI from the official description.
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Affected products
sparklemotion · mechanize

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8ghttps://lists.debian.org/debian-lts-announce/2021/02/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/https://rubygems.org/gems/mechanize/https://security.gentoo.org/glsa/202107-17