CVE-2021-33575

EUVD-2021-2261
The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem's documented behavior of using Marshal.load during XML document processing.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
pixarruby-jss
𝑥
< 1.6.0
𝑥
= Vulnerable software versions
References
https://github.com/PixarAnimationStudios/ruby-jss/blob/e6d48dd8c77f9275c76787d60d3472615fcd9b77/CHANGES.md#160---2021-05-24
https://github.com/patsplat/plist/tree/ce8f9ae42a114f603ea200c955e420782bffc4ad#label-Security+considerations
https://github.com/PixarAnimationStudios/ruby-jss/blob/e6d48dd8c77f9275c76787d60d3472615fcd9b77/CHANGES.md#160---2021-05-24
https://github.com/patsplat/plist/tree/ce8f9ae42a114f603ea200c955e420782bffc4ad#label-Security+considerations