CVE-2019-16255

EUVD-2019-7061
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
Affected Products (NVD)
VendorProductVersion
ruby-langruby
2.4.0 ≤
𝑥
≤ 2.4.7
ruby-langruby
2.5.0 ≤
𝑥
≤ 2.5.6
ruby-langruby
2.6.0 ≤
𝑥
≤ 2.6.4
debiandebian_linux
8.0
debiandebian_linux
9.0
opensuseleap
15.1
oraclegraalvm
19.3.0.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jruby
bookworm
9.3.9.0+ds-8
fixed
sid
9.4.8.0+ds-1
fixed
trixie
9.4.8.0+ds-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jruby
bionic
needs-triage
disco
ignored
eoan
ignored
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
Fixed 1.5.6-9+deb8u2build0.14.04.1~esm2
released
xenial
needs-triage
ruby2.3
bionic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
Fixed 2.3.1-2~ubuntu16.04.14
released
ruby2.5
bionic
Fixed 2.5.1-1ubuntu1.6
released
disco
Fixed 2.5.5-1ubuntu1.1
released
eoan
Fixed 2.5.5-4ubuntu2.1
released
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
https://hackerone.com/reports/327512
https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
https://seclists.org/bugtraq/2019/Dec/31
https://seclists.org/bugtraq/2019/Dec/32
https://security.gentoo.org/glsa/202003-06
https://www.debian.org/security/2019/dsa-4587
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.ruby-lang.org/ja/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
https://hackerone.com/reports/327512
https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
https://seclists.org/bugtraq/2019/Dec/31
https://seclists.org/bugtraq/2019/Dec/32
https://security.gentoo.org/glsa/202003-06
https://www.debian.org/security/2019/dsa-4587
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.ruby-lang.org/ja/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/