ALAS-2021-1506 --- ruby24 packagesID: oval:org.secpod.oval:def:1601442 | Date: (C)2021-05-31 (M)2024-01-29 |
Class: PATCH | Family: unix |
RDoc before version 6.3.1 used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command
Platform: |
Amazon Linux AMI |
Product: |
ruby24 |
rubygem24 |
rubygems24 |