{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T04:47:28.855","vulnerabilities":[{"cve":{"id":"CVE-2021-21289","sourceIdentifier":"security-advisories@github.com","published":"2021-02-02T19:15:14.220","lastModified":"2024-11-21T05:47:56.533","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."},{"lang":"es","value":"Mechanize es una biblioteca de ruby ??de código abierto que facilita la interacción web automatizada. En Mechanize desde versión 2.0.0 y versiones anteriores a 2.7.7, se presenta una vulnerabilidad de inyección de comandos. Las versiones afectadas de mechanize permiten a unos comandos del Sistema Operativo ser inyectados usando métodos de varias clases que implícitamente usan el método Kernel.open de Ruby. Una explotación es posible solo si es usada una entrada que no sea confiable como nombre de archivo local y sea pasada a cualquiera de estas llamadas: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save y Mechanize::FileResponse#read_body. Esto es corregido en versión 2.7.7"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:C/I:C/A:C","baseScore":7.6,"accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":4.9,"impactScore":10.0,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:ruby:*:*","versionStartIncluding":"2.0","versionEndExcluding":"2.7.7","matchCriteriaId":"3F476565-B5B7-4547-812E-F9428E9FA312"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","matchCriteriaId":"36D96259-24BD-44E2-96D9-78CE1D41F956"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","matchCriteriaId":"E460AA51-FCDA-46B9-AE97-E6676AA5E194"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"DEECE5FC-CACF-4496-A3E7-164736409252"}]}]}],"references":[{"url":"https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7","source":"security-advisories@github.com","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html","source":"security-advisories@github.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/","source":"security-advisories@github.com"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/","source":"security-advisories@github.com"},{"url":"https://rubygems.org/gems/mechanize/","source":"security-advisories@github.com","tags":["Product","Third Party Advisory"]},{"url":"https://security.gentoo.org/glsa/202107-17","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://rubygems.org/gems/mechanize/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product","Third Party Advisory"]},{"url":"https://security.gentoo.org/glsa/202107-17","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}