Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/mechanize@2.7.5

Type gem

Namespace

Name mechanize

Version 2.7.5

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.8.5

Latest_non_vulnerable_version 2.8.5

Affected_by_vulnerabilities

url VCID-c49k-cjdh-63gj

vulnerability_id VCID-c49k-cjdh-63gj

summary

Mechanize ruby gem Command Injection vulnerability
## Impact

Mechanize `>= v2.0`, `< v2.7.7` allows for OS commands to be injected using several
classes' methods which implicitly use Ruby's `Kernel.open` method. Exploitation is
possible only if untrusted input is used as a local filename and passed to any of
these calls:

* Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
* Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
* Mechanize#download: since v2.2 (see dc91667)
* Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
* Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
* Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

## Patches

These vulnerabilities are patched in Mechanize v2.7.7.

## Workarounds

No workarounds are available. We recommend upgrading to v2.7.7 or later.

## References

See https://docs.rubocop.org/rubocop/cops_security.html#securityopen for background
on why `Kernel.open` should not be used with untrusted input.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21289.json

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21289.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-21289

reference_id

reference_type

scores

value	0.02503
scoring_system	epss
scoring_elements	0.8564
published_at	2026-06-09T12:55:00Z

value	0.02503
scoring_system	epss
scoring_elements	0.85626
published_at	2026-06-08T12:55:00Z

value	0.02503
scoring_system	epss
scoring_elements	0.85641
published_at	2026-06-07T12:55:00Z

value	0.02503
scoring_system	epss
scoring_elements	0.85617
published_at	2026-06-04T12:55:00Z

value	0.02503
scoring_system	epss
scoring_elements	0.85644
published_at	2026-06-06T12:55:00Z

value	0.02503
scoring_system	epss
scoring_elements	0.85639
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-21289

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21289
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21289

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2021-21289.yml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2021-21289.yml

reference_url

https://github.com/sparklemotion/mechanize

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/sparklemotion/mechanize

reference_url

https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/sparklemotion/mechanize/commit/66a6a1bfa653a5f13274a396a5e5441238656aa0

reference_url

https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/sparklemotion/mechanize/releases/tag/v2.7.7

reference_url

https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g

reference_url

https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2021/02/msg00021.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBVVJUL4P4KCJH4IQTHFZ4ATXY7XXZPV/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/

reference_url

https://rubygems.org/gems/mechanize

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://rubygems.org/gems/mechanize

reference_url	https://rubygems.org/gems/mechanize/
reference_id
reference_type
scores
url	https://rubygems.org/gems/mechanize/

reference_url

https://security.gentoo.org/glsa/202107-17

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.gentoo.org/glsa/202107-17

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1924219
reference_id	1924219
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1924219

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-21289

reference_id

CVE-2021-21289

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-21289

reference_url

https://github.com/advisories/GHSA-qrqm-fpv6-6r8g

reference_id

GHSA-qrqm-fpv6-6r8g

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qrqm-fpv6-6r8g

fixed_packages

url pkg:gem/mechanize@2.7.7

purl pkg:gem/mechanize@2.7.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-tn8q-1vqt-j3cu

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/mechanize@2.7.7

aliases CVE-2021-21289, GHSA-qrqm-fpv6-6r8g

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c49k-cjdh-63gj

url VCID-tn8q-1vqt-j3cu

vulnerability_id VCID-tn8q-1vqt-j3cu

summary

Authorization header leak on port redirect in mechanize
**Summary**

Mechanize (rubygem) `< v2.8.5` leaks the `Authorization` header after a
redirect to a different port on the same site.

**Mitigation**

Upgrade to Mechanize v2.8.5 or later.

**Notes**

See [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl.

Cookies are shared with a server at a different port on the same site, per
https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:

> Cookies do not provide isolation by port.  If a cookie is readable
> by a service running on one port, the cookie is also readable by a
> service running on another port of the same server.  If a cookie is
> writable by a service on one port, the cookie is also writable by a
> service running on another port of the same server.  For this
> reason, servers SHOULD NOT both run mutually distrusting services on
> different ports of the same host and use cookies to store security-
> sensitive information.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-31033

reference_id

reference_type

scores

value	0.00332
scoring_system	epss
scoring_elements	0.56391
published_at	2026-06-07T12:55:00Z

value	0.00332
scoring_system	epss
scoring_elements	0.56392
published_at	2026-06-09T12:55:00Z

value	0.00332
scoring_system	epss
scoring_elements	0.56374
published_at	2026-06-08T12:55:00Z

value	0.00332
scoring_system	epss
scoring_elements	0.56341
published_at	2026-06-04T12:55:00Z

value	0.00332
scoring_system	epss
scoring_elements	0.56404
published_at	2026-06-06T12:55:00Z

value	0.00332
scoring_system	epss
scoring_elements	0.56397
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-31033

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31033
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31033

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2022-31033.yml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2022-31033.yml

reference_url

https://github.com/sparklemotion/mechanize

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sparklemotion/mechanize

reference_url

https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:43Z/

url

https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317

reference_url

https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:43Z/

url

https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-31033

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-31033

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014809
reference_id	1014809
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014809

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/

reference_id

7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:43Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/

reference_url

https://github.com/advisories/GHSA-64qm-hrgp-pgr9

reference_id

GHSA-64qm-hrgp-pgr9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-64qm-hrgp-pgr9

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/

reference_id

OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:43Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/

fixed_packages

url	pkg:gem/mechanize@2.8.5
purl	pkg:gem/mechanize@2.8.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/mechanize@2.8.5

aliases CVE-2022-31033, GHSA-64qm-hrgp-pgr9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tn8q-1vqt-j3cu

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/mechanize@2.7.5

Package Instance