Ruby/rdoc/6.3.0

RDoc produces HTML and command-line documentation for Ruby projects. RDoc includes the +rdoc+ and +ri+ tools for generating and displaying documentation from the command-line.

Repo Link: https://rubygems.org/gems/rdoc
License: Ruby

2 Security Vulnerabilities

Arbitrary Code Execution in Rdoc

Published date: 2021-09-01T18:53:15Z

CVE: CVE-2021-31799

Links:

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

Affected versions: ["6.3.0", "6.2.1", "6.2.0", "6.1.2", "6.1.1", "6.1.0", "6.1.0.beta3", "6.1.0.beta2", "6.1.0.beta1", "6.0.4", "6.0.3", "6.0.2", "6.0.1.1", "6.0.1", "6.0.0", "6.0.0.beta4", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.1.0", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0.preview.3", "4.0.1", "4.0.0", "4.0.0.rc.2.1", "4.0.0.rc.2", "4.0.0.preview2.1", "4.0.0.preview2", "3.12.2", "3.12.1", "3.12", "3.11"]

Secure versions: [6.3.1, 6.3.2, 6.1.2.1, 6.6.3.1, 6.5.1.1, 6.4.1.1, 6.3.4.1, 6.7.0]

Recommendation: Update to version 6.7.0.

RDoc OS command injection vulnerability

Published date: 2021-05-02

CVE: 2021-31799

CVSS V3: 7.0

Links:

https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/

RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

Affected versions: ["6.2.1", "6.2.0", "6.1.2", "6.1.1", "6.1.0", "6.1.0.beta3", "6.1.0.beta2", "6.1.0.beta1", "6.0.4", "6.0.3", "6.0.2", "6.0.1.1", "6.0.1", "6.0.0", "6.0.0.beta4", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.1.0", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.3.0", "4.2.2", "4.2.1", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.1.0.preview.3", "4.0.1", "4.0.0", "4.0.0.rc.2.1", "4.0.0.rc.2", "4.0.0.preview2.1", "4.0.0.preview2", "3.12.2", "3.12.1", "3.12", "3.11", "3.10", "3.10.pre.3", "3.10.pre.2", "3.10.pre.1", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9", "3.8", "3.7", "3.6.1", "3.6", "3.5.3", "3.5.2", "3.5.1", "3.5", "3.4", "3.3", "3.2", "3.1", "3.0.1", "3.0", "2.5.11", "2.5.10", "2.5.9", "2.5.8", "2.5.7", "2.5.6", "2.5.5", "2.5.4", "2.5.3", "2.5.2", "2.5.1", "2.5", "2.4.3", "2.4.2", "2.4.1", "2.4.0", "2.3.0", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "6.3.0"]

Secure versions: [6.3.1, 6.3.2, 6.1.2.1, 6.6.3.1, 6.5.1.1, 6.4.1.1, 6.3.4.1, 6.7.0]

Recommendation: Update to version 6.7.0.

101 Other Versions

Version	License	Security	Released
2.0.0	UNKNOWN	2	2009-07-25 - 18:00	about 15 years