OS command injection flaw in awesome_spawn
Published: March 28, 2014
SECURITY IDENTIFIERS
- CVE: CVE-2014-0156 (NVD)
- GHSA: GHSA-qpqw-mc85-qvm9
- Vendor Advisory: https://github.com/ManageIQ/awesome_spawn/commit/e524f85f1c6e292ef7d117d7818521307ac269ff
GEM
SEVERITY
PATCHED VERSIONS
~> 1.2.0
>= 1.3.0
DESCRIPTION
Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments, e.g. AwesomeSpawn.run('ls',:params => {'-l' => ";touch haxored"}). If untrusted input was included in command arguments, attacker could use this flaw to execute arbitrary command.