CVE-2021-31799 – This vulnerability in RDoc (Ruby's documentatio... (How to Fix)

Q: What is the severity of CVE-2021-31799?

CVE-2021-31799 has a CVSS score of 7.0 (HIGH). This vulnerability in RDoc (Ruby's documentation generator) allows arbitrary code execution when processing filenames containing pipe (|) or backtick (`) characters. Attackers can exploit this by tricking users or automated systems into processing malicious filenames. This affects Ruby installations with vulnerable RDoc versions, particularly developers and systems using Ruby documentation tools.

📋 TL;DR

This vulnerability in RDoc (Ruby's documentation generator) allows arbitrary code execution when processing filenames containing pipe (|) or backtick (`) characters. Attackers can exploit this by tricking users or automated systems into processing malicious filenames. This affects Ruby installations with vulnerable RDoc versions, particularly developers and systems using Ruby documentation tools.

💻 Affected Systems

Products:

RDoc
Ruby

Versions: RDoc 3.11 through 6.x before 6.3.1, Ruby through 3.0.1

Operating Systems: All operating systems running affected Ruby/RDoc versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using RDoc to process documentation files is vulnerable. This includes development environments, CI/CD pipelines, and documentation generation systems.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user running RDoc, potentially leading to lateral movement within the environment.

🟢

If Mitigated

Limited impact if proper file validation and sandboxing are implemented, restricting execution to isolated environments.

🌐 Internet-Facing: MEDIUM - Exploitation typically requires user interaction or automated processing of untrusted files, but web applications using RDoc could be vulnerable.

🏢 Internal Only: HIGH - Developers and build systems frequently process documentation files, creating multiple internal attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to process a malicious filename through RDoc. This could be achieved through social engineering, automated documentation builds, or compromised source repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RDoc 6.3.1 or later, Ruby 3.0.2 or later

Vendor Advisory: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc-cve-2021-31799/

Restart Required: No

Instructions:

1. Update Ruby to version 3.0.2 or later. 2. Alternatively, update RDoc gem to version 6.3.1 or later using: gem update rdoc. 3. Verify the update with: gem list rdoc.

🔧 Temporary Workarounds

Disable RDoc processing

all

Temporarily disable RDoc documentation generation in vulnerable environments

gem install --no-document
export GEM_DOC=false

Filename validation

all

Implement input validation to reject filenames containing | or ` characters before RDoc processing

🧯 If You Can't Patch

Implement strict file validation to block filenames containing | or ` characters
Run RDoc in isolated containers or sandboxes with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check RDoc version with: gem list rdoc | grep rdoc. If version is between 3.11 and 6.3.0 (excluding 6.3.1), system is vulnerable.

Check Version:

gem list rdoc | grep rdoc && ruby --version

Verify Fix Applied:

Verify RDoc version is 6.3.1 or higher with: gem list rdoc | grep rdoc. Also check Ruby version is 3.0.2 or higher with: ruby --version.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in RDoc processes
Errors from RDoc when processing files with special characters
Unexpected system commands executed during documentation generation

Network Indicators:

Outbound connections from RDoc processes to unexpected destinations
Command and control traffic originating from documentation systems

SIEM Query:

process_name:"rdoc" AND (command_line:"|" OR command_line:"`")

📊 Metadata

CVE ID: CVE-2021-31799

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: July 30, 2021

Last Updated: November 21, 2024

🔗 References

https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-31799 Third Party Advisory
https://security.gentoo.org/glsa/202401-05
https://security.netapp.com/advisory/ntap-20210902-0004/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/ Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-31799 Third Party Advisory
https://security.gentoo.org/glsa/202401-05
https://security.netapp.com/advisory/ntap-20210902-0004/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/ Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31799, you might also want to check these: