-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
RubyRuby| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| job-iteration | rubygems | < 1.11 | 1.11 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the CsvEnumerator.size method of the job-iteration gem. According to the security advisory, calling size on an enumerator with an untrusted CSV filename can lead to arbitrary code execution. This suggests that the size method constructs and executes a shell command using the filename, and fails to sanitize it, making it vulnerable to OS command injection. Although I was unable to fetch the commit details due to repository restrictions, the advisory provides specific information that allows for a confident identification of the vulnerable function. The fix, introduced in version 1.11.0, likely involves either avoiding shelling out to determine the file size or properly sanitizing the filename before using it in a shell command.
Ongoing coverage of React2Shell