From b6490fcafb7a78bb0a1a57d144edac5387ad2a97 Mon Sep 17 00:00:00 2001 From: Robert Schultheis Date: Tue, 2 Feb 2021 11:49:12 -0700 Subject: [PATCH] Add CVE-2021-21289 for GHSA-qrqm-fpv6-6r8g --- 2021/21xxx/CVE-2021-21289.json | 92 +++++++++++++++++++++++++++++++--- 1 file changed, 86 insertions(+), 6 deletions(-) diff --git a/2021/21xxx/CVE-2021-21289.json b/2021/21xxx/CVE-2021-21289.json index 80c2880f003..f44ab6fcdd5 100644 --- a/2021/21xxx/CVE-2021-21289.json +++ b/2021/21xxx/CVE-2021-21289.json @@ -1,18 +1,98 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21289", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Command Injection Vulnerability in Mechanize" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "mechanize", + "version": { + "version_data": [ + { + "version_value": ">= 2.0, < 2.7.7" + } + ] + } + } + ] + }, + "vendor_name": "sparklemotion" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability.\n\nAffected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body.\n\nThis is fixed in version 2.7.7." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.4, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g", + "refsource": "CONFIRM", + "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g" + }, + { + "name": "https://rubygems.org/gems/mechanize/", + "refsource": "MISC", + "url": "https://rubygems.org/gems/mechanize/" + }, + { + "name": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7", + "refsource": "MISC", + "url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7" + }, + { + "name": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0", + "refsource": "MISC", + "url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0" + } + ] + }, + "source": { + "advisory": "GHSA-qrqm-fpv6-6r8g", + "discovery": "UNKNOWN" } } \ No newline at end of file