Description
The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Image Zoom Local File Inclusion (1.46)
WordPress Plugin WP e-Commerce-Store Toolkit Privilege Escalation (2.0.1)
jQuery Validation Other Vulnerability (CVE-2022-31147)
WordPress Plugin OdiHost Newsletter 'openstat.php' SQL Injection (1.0)
AngularJS Inefficient Regular Expression Complexity Vulnerability (CVE-2024-21490)