FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

RDoc -- command injection vulnerability

Affected packages
rubygem-rdoc < 6.3.1

Details

VuXML ID 57027417-ab7f-11eb-9596-080027f515ea
Discovery 2021-05-02
Entry 2021-05-02

Alexandr Savca reports:

RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

References

CVE Name CVE-2021-31799
URL https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/