trilogy is vulnerable to File Descriptor Leak
36
Low Risk
The Ruby extension establishes the MySQL connection socket in Ruby and duplicates the underlying file descriptor with dup in contrib/ruby/ext/trilogy-ruby/cext.c before handing it to trilogy_connect_set_fd. The duplicated descriptor did not inherit the FD_CLOEXEC flag, so the live authenticated database socket stayed open across exec. Any child process spawned by the application while a Trilogy connection is open inherited that descriptor and could read from or write to the database connection. The fix reads the original descriptor flags with fcntl(F_GETFD) and reapplies them to the new descriptor with fcntl(F_SETFD) so the socket is closed on exec.
You are affected if you are using a version that falls within the vulnerable range and your application spawns child processes via exec while a Trilogy connection is open.
trilogy is vulnerable to File Descriptor Leak in versions 2.11.0 - 2.12.4.
Upgrade the trilogy library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant