A vulnerability has been found in RDoc which allows for command injection.
Package | dev-ruby/rdoc on all architectures |
---|---|
Affected versions | < 6.3.2 |
Unaffected versions | >= 6.3.2 |
RDoc produces HTML and command-line documentation for Ruby projects.
A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details.
RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
There is no known workaround at this time.
All RDoc users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.3.2"
Release date
January 05, 2024
Latest revision
January 05, 2024: 1
Severity
normal
Exploitable
remote
Bugzilla entries