CVE-2019-16255
moderate-risk
Published 2019-11-26
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
Do I need to act?
~
1.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (5)
References (30)
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
Broken Link
https://seclists.org/bugtraq/2019/Dec/31
Broken Link
https://seclists.org/bugtraq/2019/Dec/32
Third Party Advisory
https://security.gentoo.org/glsa/202003-06
Third Party Advisory
https://www.debian.org/security/2019/dsa-4587
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
and 10 more references
39
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
3/34 · Minimal
Exposure
12/34 · Low