|
Lines 76-81
Notes:
Link Here
|
| 76 |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) |
76 |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) |
| 77 |
--> |
77 |
--> |
| 78 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
78 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
|
|
79 |
<vuln vid="57027417-ab7f-11eb-9596-080027f515ea"> |
| 80 |
<topic>RDoc -- command injection vulnerability</topic> |
| 81 |
<affects> |
| 82 |
<package> |
| 83 |
<name>rubygem-rdoc</name> |
| 84 |
<range><lt>6.3.1</lt></range> |
| 85 |
</package> |
| 86 |
</affects> |
| 87 |
<description> |
| 88 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 89 |
<p>Alexandr Savca reports:</p> |
| 90 |
<blockquote cite="https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/"> |
| 91 |
<p> |
| 92 |
RDoc used to call Kernel#open to open a local file. If a Ruby project |
| 93 |
has a file whose name starts with | and ends with tags, the command |
| 94 |
following the pipe character is executed. A malicious Ruby project |
| 95 |
could exploit it to run an arbitrary command execution against a user |
| 96 |
who attempts to run rdoc command. |
| 97 |
</p> |
| 98 |
</blockquote> |
| 99 |
</body> |
| 100 |
</description> |
| 101 |
<references> |
| 102 |
<cvename>CVE-2021-31799</cvename> |
| 103 |
<url>https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/</url> |
| 104 |
</references> |
| 105 |
<dates> |
| 106 |
<discovery>2021-05-02</discovery> |
| 107 |
<entry>2021-05-02</entry> |
| 108 |
</dates> |
| 109 |
</vuln> |
| 110 |
|
| 79 |
<vuln vid="0add6e6b-6883-11eb-b0cb-f8b156c2bfe9"> |
111 |
<vuln vid="0add6e6b-6883-11eb-b0cb-f8b156c2bfe9"> |
| 80 |
<topic>sympa -- Unauthorised full access via SOAP API due to illegal cookie</topic> |
112 |
<topic>sympa -- Unauthorised full access via SOAP API due to illegal cookie</topic> |
| 81 |
<affects> |
113 |
<affects> |
| 82 |
- |
|
|