Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DLA-2007-1 | ruby2.1 security update |
![]() |
DLA-2027-1 | jruby security update |
![]() |
DLA-2330-1 | jruby security update |
![]() |
DLA-3408-1 | jruby security update |
![]() |
DSA-4586-1 | ruby2.5 security update |
![]() |
DSA-4587-1 | ruby2.3 security update |
![]() |
EUVD-2019-7061 | Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. |
![]() |
USN-4201-1 | Ruby vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Sat, 12 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|

Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-05T01:10:41.667Z
Reserved: 2019-09-11T00:00:00
Link: CVE-2019-16255

No data.

Status : Modified
Published: 2019-11-26T18:15:15.303
Modified: 2024-11-21T04:30:24.033
Link: CVE-2019-16255


No data.