There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`. Upstream patch: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee References: https://hackerone.com/reports/651518
Created rubygem-rake tracking bugs for this issue: Affects: fedora-all [bug 1816272]
External References: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Statement: Red Hat CloudForms 5.10 and Red Hat Satellite 6 contains affected rake version, however, it is not vulnerable since it does not use `egrep` after `FileList` loads file with pipe-character, this makes OS injection practically impossible with it's existing Rakefile. Red Hat may update rake in future releases. The version of rubygem-rake shipped with Red Hat Gluster Storage includes the vulnerable code, but the module FileList is currently not used by the product and hence this issue has been rated as having a security impact of Low for RHGS.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702