36 matches found
Astra Linux - уязвимость в ruby-nokogiri
A command injection vulnerability exists in Nokogiri v1.10.3 and earlier. This vulnerability allows commands to be executed in a subprocess via Ruby’s Kernel.open method. Processes become vulnerable only if the undocumented method Nokogiri::CSS::Tokenizerloadfile is called with unsafe user input ...
EUVD-2017-8941
Malware in sbrugna...
CVE-2025-37789
CVE-2025-37789 (net: openvswitch: fix nested key length validation in the set() action) is covered by connected advisories, which confirm a Linux kernel vulnerability in netlink key length handling for the set() action in Open vSwitch. The description notes that accessing nla_len(ovs_key) is unsa...
RDoc: Command Injection
Background RDoc produces HTML and command-line documentation for Ruby projects. Description A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details. Impact RDoc used to call Kernelopen to open a local file. If a Ruby project has a file whose name...
SUSE CVE-2017-17790
The lazyinitialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernelopen, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input ma...
SUSE CVE-2019-5477
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizerloadfile is being called with unsafe user input as the filename. This...
CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. Recent assessments: wvu-r7 at May 03, 2021 1:43am UTC reported: CVE-2021-31799 Perlisms strike again in this RDoc command injection. Kernelopen is...
OESA-2021-1150 rubygem-mini_magick security update
A ruby wrapper for ImageMagick command line. Using MiniMagick the ruby processes memory remains small it spawns ImageMagick's command line program mogrify which takes up some memory as well, but is much smaller compared to RMagick. Security Fixes: In lib/minimagick/image.rb in MiniMagick before...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection. It used to call Kernelopen to open a local file. If a Ruby project hasa file whose name starts with | and ends with tags, the command followingthe pipe character is executed. A malicious Ruby project could exploit it...
FreeBSD : RDoc -- command injection vulnerability (57027417-ab7f-11eb-9596-080027f515ea)
Alexandr Savca reports : RDoc used to call Kernelopen to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a use...
RDoc OS command injection vulnerability
RDoc used to call Kernelopen to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdo...
Updated ruby-mechanize packages fix a security vulnerability
In Mechanize, from v2.0.0 until v2.7.7, there is a command injection vulnerability. Affected versions of Mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernelopen method CVE-2021-21289...
Nokogiri: Command injection
Background Nokogiri is an HTML, XML, SAX, and Reader parser. Description A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess by Ruby’s Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizerloadfile is being...
Command Injection
Overview bibtex-ruby is a BibTeX library, parser, and converter for Ruby. Affected versions of this package are vulnerable to Command Injection due to unsanitized user input being passed directly to the built-in dangerous Ruby Kernel.open method through BibTeX.open. PoC by Snyk: require ‘bibtex’...
[SECURITY] [DLA 1933-1] ruby-nokogiri security update
Package : ruby-nokogiri Version : 1.6.3.1+ds-1+deb8u1 CVE ID : CVE-2019-5477 A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess by Rubys Kernel.open method. For Debian 8 "Jessie", this problem has been fixed in version 1.6.3.1+ds-1+deb8u1. We recommend th...
DEBIAN-CVE-2019-5477
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizerloadfile is being called with unsafe user input as the filename. This...
UBUNTU-CVE-2019-5477
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizerloadfile is being called with unsafe user input as the filename. This...
CVE-2019-5477
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizerloadfile is being called with unsafe user input as the filename. This...
OS Command Injection
minimagick is vulnerable to OS command injection. The input to Image.open is passed directly to Kernelopen, which accepts the | character. This allows a remote attacker to inject arbitrary OS command via a malicious image filename...
CVE-2019-13574
In lib/minimagick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernelopen, which accepts a '|' character followed by a command...