Описание
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |.
Отчет
Red Hat CloudForms 5.10 and Red Hat Satellite 6 contains affected rake version, however, it is not vulnerable since it does not use egrep after FileList loads file with pipe-character, this makes OS injection practically impossible with it's existing Rakefile. Red Hat may update rake in future releases.
The version of rubygem-rake shipped with Red Hat Gluster Storage includes the vulnerable code, but the module FileList is currently not used by the product and hence this issue has been rated as having a security impact of Low for RHGS.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | cfme-amazon-smartstate | Fix deferred | ||
| CloudForms Management Engine 5 | cfme-gemset | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | fluentd | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-logging-fluentd | Not affected | ||
| Red Hat Storage 3 | rubygem-rake | Affected | ||
| Red Hat Satellite 6.10 for RHEL 7 | satellite | Fixed | RHSA-2021:4702 | 16.11.2021 |
| Red Hat Satellite 6.10 for RHEL 7 | satellite | Fixed | RHSA-2021:4702 | 16.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.4 Medium
CVSS3
Связанные уязвимости
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 i ...
EPSS
6.4 Medium
CVSS3