---
gem: rexical
cve: 2019-5477
date: 2019-08-11
url: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
title: Rexical Command Injection Vulnerability
description: |
  A command injection vulnerability appears in code generated by the Rexical
  gem versions v1.0.6 and earlier. It allows commands to be executed in a
  subprocess by Ruby's `Kernel.open` method.

patched_versions:
  - ">= 1.0.7"

cvss_v2: 7.5
cvss_v3: 9.8

related:
  url:
    - https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06
    - https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ