Updated advisory posts against rubysec/ruby-advisory-db@098479f

Author: jasnow

advisories/_posts/2025-07-14-CVE-2025-53623.md

@@ -0,0 +1,48 @@
+---
+layout: advisory
+title: 'CVE-2025-53623 (job-iteration): Job Iteration API is vulnerable to OS Command
+  Injection attack through its CsvEnumerator class'
+comments: false
+categories:
+- job-iteration
+advisory:
+  gem: job-iteration
+  cve: 2025-53623
+  ghsa: 6qjf-g333-pv38
+  url: https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
+  title: Job Iteration API is vulnerable to OS Command Injection attack through its
+    CsvEnumerator class
+  date: 2025-07-14
+  description: |
+    ### Impact
+
+    There is an arbitrary code execution vulnerability in the
+    `CsvEnumerator` class of the `job-iteration` repository. This
+    vulnerability can be exploited by an attacker to execute arbitrary
+    commands on the system where the application is running, potentially
+    leading to unauthorized access, data leakage, or complete system
+    compromise.
+
+    ### Patches
+
+    Issue is fixed in versions `1.11.0` and above.
+
+    ### Workarounds
+
+    Users can mitigate the risk by avoiding the use of untrusted input
+    in the `CsvEnumerator` class and ensuring that any file paths are
+    properly sanitized and validated before being passed to the class
+    methods. Users should avoid calling `size` on enumerators
+    constructed with untrusted CSV filenames.
+  cvss_v4: 8.1
+  patched_versions:
+  - ">= 1.11"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-53623
+    - https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
+    - https://github.com/Shopify/job-iteration/pull/595
+    - https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55
+    - https://github.com/Shopify/job-iteration/releases/tag/v1.11.0
+    - https://github.com/advisories/GHSA-6qjf-g333-pv38
+---