Skip to content

Commit b08e96c

Browse files
jasnowjasnow
committed
Separated jruby info from ruby advisory into its own
1 parent ceb1564 commit b08e96c

File tree

2 files changed

+31
-5
lines changed

2 files changed

+31
-5
lines changed

rubies/jruby/CVE-2019-16255.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
---
2+
engine: jruby
3+
cve: 2019-16255
4+
ghsa: ph7w-p94x-9vvw
5+
url: https://nvd.nist.gov/vuln/detail/CVE-2019-16255
6+
title: A code injection vulnerability of Shell#[] and Shell#test
7+
date: 2019-10-01
8+
description: |
9+
Shell#[] and its alias Shell#test defined in lib/shell.rb allow code
10+
injection if the first argument (aka the “command” argument) is untrusted
11+
data. An attacker can exploit this to call an arbitrary Ruby method.
12+
13+
Note that passing untrusted data to methods of Shell is dangerous in general.
14+
Users must never do it. However, we treat this particular case as a
15+
vulnerability because the purpose of Shell#[] and Shell#[] is considered file
16+
testing.
17+
cvss_v2: 6.8
18+
cvss_v3: 8.1
19+
patched_versions:
20+
- ">= 9.3.0.0"
21+
related:
22+
url:
23+
- https://nvd.nist.gov/vuln/detail/CVE-2019-16255
24+
- https://github.com/jruby/jruby/releases/tag/9.3.0.0
25+
- https://github.com/jruby/jruby/issues/5126
26+
- https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
27+
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
28+
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
29+
- https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255
30+
- https://hackerone.com/reports/327512
31+
- https://github.com/advisories/GHSA-ph7w-p94x-9vvw

rubies/ruby/CVE-2019-16255.yml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -36,9 +36,4 @@ related:
3636
- https://security.gentoo.org/glsa/202003-06
3737
- https://www.oracle.com/security-alerts/cpujan2020.html
3838
- https://hackerone.com/reports/327512
39-
- https://github.com/jruby/jruby/releases/tag/9.3.0.0
40-
- https://github.com/jruby/jruby/issues/5126
41-
- https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
42-
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
43-
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
4439
- https://github.com/advisories/GHSA-ph7w-p94x-9vvw

0 commit comments

Comments
 (0)