Skip to content

BibTeX-Ruby vulnerable to OS command injection

Critical severity GitHub Reviewed Published Feb 14, 2020 to the GitHub Advisory Database • Updated Aug 28, 2023

Package

bundler bibtex-ruby (RubyGems)

Affected versions

<= 5.0.1

Patched versions

5.1.0

Description

BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open.

References

Reviewed Feb 13, 2020
Published to the GitHub Advisory Database Feb 14, 2020
Last updated Aug 28, 2023

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2019-10780

GHSA ID

GHSA-c5r5-7pfh-6qg6

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.