Search criteria
9 vulnerabilities found for mechanize by mechanize_project
FKIE_CVE-2021-32837
Vulnerability from fkie_nvd - Published: 2023-01-17 22:15 - Updated: 2025-12-22 02:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mechanize_project | mechanize | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:python:*:*",
"matchCriteriaId": "29D79742-1F31-48EC-B67A-A49B3B73EADE",
"versionEndExcluding": "0.4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue."
},
{
"lang": "es",
"value": "mechanize, una librer\u00eda para interactuar autom\u00e1ticamente con servidores web HTTP, contiene una expresi\u00f3n regular que es vulnerable a la denegaci\u00f3n de servicio de expresi\u00f3n regular (ReDoS) antes de la versi\u00f3n 0.4.6. Si un servidor web responde de forma maliciosa, mechanize podr\u00eda fallar. La versi\u00f3n 0.4.6 tiene un parche para este problema."
}
],
"id": "CVE-2021-32837",
"lastModified": "2025-12-22T02:16:01.123",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-17T22:15:10.533",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00028.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-31033
Vulnerability from fkie_nvd - Published: 2022-06-09 20:15 - Updated: 2024-11-21 07:03
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mechanize_project | mechanize | * | |
| fedoraproject | fedora | 35 | |
| fedoraproject | fedora | 36 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "CD1B1186-F461-44B3-8F5E-C89967EC8109",
"versionEndExcluding": "2.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue."
},
{
"lang": "es",
"value": "La biblioteca Mechanize es usada para automatizar la interacci\u00f3n con los sitios web. Mechanize almacena y env\u00eda autom\u00e1ticamente cookies, sigue redireccionamientos y puede seguir enlaces y enviar formularios. En versiones anteriores a 2.8.5, el encabezado de autorizaci\u00f3n es filtrado despu\u00e9s de un redireccionamiento a un puerto diferente en el mismo sitio. Es recomendado a usuarios actualizar a Mechanize versi\u00f3n v2.8.5 o posteriores. No se presentan mitigaciones conocidas para este problema"
}
],
"id": "CVE-2022-31033",
"lastModified": "2024-11-21T07:03:45.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-09T20:15:08.343",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-21289
Vulnerability from fkie_nvd - Published: 2021-02-02 19:15 - Updated: 2024-11-21 05:47
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mechanize_project | mechanize | * | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "3F476565-B5B7-4547-812E-F9428E9FA312",
"versionEndExcluding": "2.7.7",
"versionStartIncluding": "2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
},
{
"lang": "es",
"value": "Mechanize es una biblioteca de ruby ??de c\u00f3digo abierto que facilita la interacci\u00f3n web automatizada.\u0026#xa0;En Mechanize desde versi\u00f3n 2.0.0 y versiones anteriores a 2.7.7, se presenta una vulnerabilidad de inyecci\u00f3n de comandos.\u0026#xa0;Las versiones afectadas de mechanize permiten a unos comandos del Sistema Operativo ser inyectados usando m\u00e9todos de varias clases que impl\u00edcitamente usan el m\u00e9todo Kernel.open de Ruby.\u0026#xa0;Una explotaci\u00f3n es posible solo si es usada una entrada que no sea confiable como nombre de archivo local y sea pasada a cualquiera de estas llamadas: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save y Mechanize::FileResponse#read_body.\u0026#xa0;Esto es corregido en versi\u00f3n 2.7.7"
}
],
"id": "CVE-2021-21289",
"lastModified": "2024-11-21T05:47:56.533",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-02T19:15:14.220",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://rubygems.org/gems/mechanize/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://rubygems.org/gems/mechanize/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-17"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-32837 (GCVE-0-2021-32837)
Vulnerability from nvd – Published: 2023-01-17 00:00 – Updated: 2025-12-22 01:32
VLAI?
Title
mechanize vulnerable to ReDoS
Summary
mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.
Severity ?
7.5 (High)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| python-mechanize | mechanize |
Affected:
0.4.6 , < 0.4.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-22T01:32:19.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6"
},
{
"name": "[debian-lts-announce] 20230620 [SECURITY] [DLA 3460-1] python-mechanize security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32837",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:02:11.874134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:22:55.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mechanize",
"vendor": "python-mechanize",
"versions": [
{
"lessThan": "0.4.6",
"status": "affected",
"version": "0.4.6",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-20T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/"
},
{
"url": "https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879"
},
{
"url": "https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6"
},
{
"url": "https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6"
},
{
"name": "[debian-lts-announce] 20230620 [SECURITY] [DLA 3460-1] python-mechanize security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html"
}
],
"source": {
"advisory": "GHSL-2021-108",
"defect": [
"GHSL-2021-108"
],
"discovery": "UNKNOWN"
},
"title": "mechanize vulnerable to ReDoS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32837",
"datePublished": "2023-01-17T00:00:00.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2025-12-22T01:32:19.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-31033 (GCVE-0-2022-31033)
Vulnerability from nvd – Published: 2022-06-09 20:00 – Updated: 2025-04-23 18:17
VLAI?
Title
Authorization header leak in rubygem Mechanize
Summary
The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.
Severity ?
5.9 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sparklemotion | mechanize |
Affected:
< 2.8.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
},
{
"name": "FEDORA-2022-fda14723ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
},
{
"name": "FEDORA-2022-6b1b324753",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:05:43.245841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:17:26.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mechanize",
"vendor": "sparklemotion",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-19T02:07:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
},
{
"name": "FEDORA-2022-fda14723ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
},
{
"name": "FEDORA-2022-6b1b324753",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
}
],
"source": {
"advisory": "GHSA-64qm-hrgp-pgr9",
"discovery": "UNKNOWN"
},
"title": "Authorization header leak in rubygem Mechanize",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31033",
"STATE": "PUBLIC",
"TITLE": "Authorization header leak in rubygem Mechanize"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mechanize",
"version": {
"version_data": [
{
"version_value": "\u003c 2.8.5"
}
]
}
}
]
},
"vendor_name": "sparklemotion"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9",
"refsource": "CONFIRM",
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
},
{
"name": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317",
"refsource": "MISC",
"url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
},
{
"name": "FEDORA-2022-fda14723ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
},
{
"name": "FEDORA-2022-6b1b324753",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
}
]
},
"source": {
"advisory": "GHSA-64qm-hrgp-pgr9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31033",
"datePublished": "2022-06-09T20:00:16.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:17:26.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21289 (GCVE-0-2021-21289)
Vulnerability from nvd – Published: 2021-02-02 18:50 – Updated: 2024-08-03 18:09
VLAI?
Title
Command Injection Vulnerability in Mechanize
Summary
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
Severity ?
7.4 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sparklemotion | mechanize |
Affected:
>= 2.0, < 2.7.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://rubygems.org/gems/mechanize/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
},
{
"name": "FEDORA-2021-24fdc228e4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
},
{
"name": "FEDORA-2021-db8ebc547e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
},
{
"name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
},
{
"name": "GLSA-202107-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202107-17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mechanize",
"vendor": "sparklemotion",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0, \u003c 2.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-08T06:07:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://rubygems.org/gems/mechanize/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
},
{
"name": "FEDORA-2021-24fdc228e4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
},
{
"name": "FEDORA-2021-db8ebc547e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
},
{
"name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
},
{
"name": "GLSA-202107-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202107-17"
}
],
"source": {
"advisory": "GHSA-qrqm-fpv6-6r8g",
"discovery": "UNKNOWN"
},
"title": "Command Injection Vulnerability in Mechanize",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21289",
"STATE": "PUBLIC",
"TITLE": "Command Injection Vulnerability in Mechanize"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mechanize",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0, \u003c 2.7.7"
}
]
}
}
]
},
"vendor_name": "sparklemotion"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g",
"refsource": "CONFIRM",
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
},
{
"name": "https://rubygems.org/gems/mechanize/",
"refsource": "MISC",
"url": "https://rubygems.org/gems/mechanize/"
},
{
"name": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7",
"refsource": "MISC",
"url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
},
{
"name": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0",
"refsource": "MISC",
"url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
},
{
"name": "FEDORA-2021-24fdc228e4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
},
{
"name": "FEDORA-2021-db8ebc547e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
},
{
"name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
},
{
"name": "GLSA-202107-17",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202107-17"
}
]
},
"source": {
"advisory": "GHSA-qrqm-fpv6-6r8g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21289",
"datePublished": "2021-02-02T18:50:13",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32837 (GCVE-0-2021-32837)
Vulnerability from cvelistv5 – Published: 2023-01-17 00:00 – Updated: 2025-12-22 01:32
VLAI?
Title
mechanize vulnerable to ReDoS
Summary
mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.
Severity ?
7.5 (High)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| python-mechanize | mechanize |
Affected:
0.4.6 , < 0.4.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-22T01:32:19.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6"
},
{
"name": "[debian-lts-announce] 20230620 [SECURITY] [DLA 3460-1] python-mechanize security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32837",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:02:11.874134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:22:55.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mechanize",
"vendor": "python-mechanize",
"versions": [
{
"lessThan": "0.4.6",
"status": "affected",
"version": "0.4.6",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-20T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/"
},
{
"url": "https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879"
},
{
"url": "https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6"
},
{
"url": "https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6"
},
{
"name": "[debian-lts-announce] 20230620 [SECURITY] [DLA 3460-1] python-mechanize security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html"
}
],
"source": {
"advisory": "GHSL-2021-108",
"defect": [
"GHSL-2021-108"
],
"discovery": "UNKNOWN"
},
"title": "mechanize vulnerable to ReDoS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32837",
"datePublished": "2023-01-17T00:00:00.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2025-12-22T01:32:19.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-31033 (GCVE-0-2022-31033)
Vulnerability from cvelistv5 – Published: 2022-06-09 20:00 – Updated: 2025-04-23 18:17
VLAI?
Title
Authorization header leak in rubygem Mechanize
Summary
The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.
Severity ?
5.9 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sparklemotion | mechanize |
Affected:
< 2.8.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
},
{
"name": "FEDORA-2022-fda14723ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
},
{
"name": "FEDORA-2022-6b1b324753",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:05:43.245841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:17:26.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mechanize",
"vendor": "sparklemotion",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-19T02:07:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
},
{
"name": "FEDORA-2022-fda14723ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
},
{
"name": "FEDORA-2022-6b1b324753",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
}
],
"source": {
"advisory": "GHSA-64qm-hrgp-pgr9",
"discovery": "UNKNOWN"
},
"title": "Authorization header leak in rubygem Mechanize",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31033",
"STATE": "PUBLIC",
"TITLE": "Authorization header leak in rubygem Mechanize"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mechanize",
"version": {
"version_data": [
{
"version_value": "\u003c 2.8.5"
}
]
}
}
]
},
"vendor_name": "sparklemotion"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9",
"refsource": "CONFIRM",
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
},
{
"name": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317",
"refsource": "MISC",
"url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
},
{
"name": "FEDORA-2022-fda14723ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
},
{
"name": "FEDORA-2022-6b1b324753",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
}
]
},
"source": {
"advisory": "GHSA-64qm-hrgp-pgr9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31033",
"datePublished": "2022-06-09T20:00:16.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:17:26.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21289 (GCVE-0-2021-21289)
Vulnerability from cvelistv5 – Published: 2021-02-02 18:50 – Updated: 2024-08-03 18:09
VLAI?
Title
Command Injection Vulnerability in Mechanize
Summary
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.
Severity ?
7.4 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sparklemotion | mechanize |
Affected:
>= 2.0, < 2.7.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://rubygems.org/gems/mechanize/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
},
{
"name": "FEDORA-2021-24fdc228e4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
},
{
"name": "FEDORA-2021-db8ebc547e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
},
{
"name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
},
{
"name": "GLSA-202107-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202107-17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mechanize",
"vendor": "sparklemotion",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0, \u003c 2.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-08T06:07:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://rubygems.org/gems/mechanize/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
},
{
"name": "FEDORA-2021-24fdc228e4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
},
{
"name": "FEDORA-2021-db8ebc547e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
},
{
"name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
},
{
"name": "GLSA-202107-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202107-17"
}
],
"source": {
"advisory": "GHSA-qrqm-fpv6-6r8g",
"discovery": "UNKNOWN"
},
"title": "Command Injection Vulnerability in Mechanize",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21289",
"STATE": "PUBLIC",
"TITLE": "Command Injection Vulnerability in Mechanize"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mechanize",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0, \u003c 2.7.7"
}
]
}
}
]
},
"vendor_name": "sparklemotion"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes\u0027 methods which implicitly use Ruby\u0027s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g",
"refsource": "CONFIRM",
"url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g"
},
{
"name": "https://rubygems.org/gems/mechanize/",
"refsource": "MISC",
"url": "https://rubygems.org/gems/mechanize/"
},
{
"name": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7",
"refsource": "MISC",
"url": "https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7"
},
{
"name": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0",
"refsource": "MISC",
"url": "https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0"
},
{
"name": "FEDORA-2021-24fdc228e4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/"
},
{
"name": "FEDORA-2021-db8ebc547e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/"
},
{
"name": "[debian-lts-announce] 20210216 [SECURITY] [DLA 2561-1] ruby-mechanize security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html"
},
{
"name": "GLSA-202107-17",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202107-17"
}
]
},
"source": {
"advisory": "GHSA-qrqm-fpv6-6r8g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21289",
"datePublished": "2021-02-02T18:50:13",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}