Skip to content

Commit e16e227

Browse files
jasnowRubySec CI
jasnow
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@098479f 
1 parent 37d482b commit e16e227

File tree

1 file changed

+48
-0
lines changed

1 file changed

+48
-0
lines changed

advisories/_posts/2025-07-14-CVE-2025-53623.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2025-53623 (job-iteration): Job Iteration API is vulnerable to OS Command
4+
Injection attack through its CsvEnumerator class'
5+
comments: false
6+
categories:
7+
- job-iteration
8+
advisory:
9+
gem: job-iteration
10+
cve: 2025-53623
11+
ghsa: 6qjf-g333-pv38
12+
url: https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
13+
title: Job Iteration API is vulnerable to OS Command Injection attack through its
14+
CsvEnumerator class
15+
date: 2025-07-14
16+
description: |
17+
### Impact
18+
19+
There is an arbitrary code execution vulnerability in the
20+
`CsvEnumerator` class of the `job-iteration` repository. This
21+
vulnerability can be exploited by an attacker to execute arbitrary
22+
commands on the system where the application is running, potentially
23+
leading to unauthorized access, data leakage, or complete system
24+
compromise.
25+
26+
### Patches
27+
28+
Issue is fixed in versions `1.11.0` and above.
29+
30+
### Workarounds
31+
32+
Users can mitigate the risk by avoiding the use of untrusted input
33+
in the `CsvEnumerator` class and ensuring that any file paths are
34+
properly sanitized and validated before being passed to the class
35+
methods. Users should avoid calling `size` on enumerators
36+
constructed with untrusted CSV filenames.
37+
cvss_v4: 8.1
38+
patched_versions:
39+
- ">= 1.11"
40+
related:
41+
url:
42+
- https://nvd.nist.gov/vuln/detail/CVE-2025-53623
43+
- https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
44+
- https://github.com/Shopify/job-iteration/pull/595
45+
- https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55
46+
- https://github.com/Shopify/job-iteration/releases/tag/v1.11.0
47+
- https://github.com/advisories/GHSA-6qjf-g333-pv38
48+
---

0 commit comments

Comments
 (0)