Externally Controlled Reference to a Resource in Another Sphere in ruby-mysql

#VU67809 Externally Controlled Reference to a Resource in Another Sphere in ruby-mysql

Published: 2022-10-03

Vulnerability identifier: #VU67809

Vulnerability risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3779

CWE-ID: CWE-610

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ruby-mysql
Universal components / Libraries / Programming Languages & Components

Vendor: TOMITA Masahiro

Description

The vulnerability allows a remote attacker to obtain sensitive information.

The vulnerability exists due to missing authorization when working with local files on the system with installed ruby-mysql client. A malicious MySQL server can request content of an arbitrary local file on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ruby-mysql: 2.9.5 - 2.9.14

External links
http://www.rapid7.com/blog/post/2022/06/28/cve-2021-3779-ruby-mysql-gem-client-file-read-fixed/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in ruby-mysql