ADVISORIES

• CVE-2014-10075 (NVD)
• GHSA-qfwq-chf4-jvwg
• OSVDB-108573

GEM

karo

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

None.

DESCRIPTION

The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.

karo Gem for Ruby contains a flaw in db.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

• CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

• Severity: CRITICAL - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2014-10075
• https://github.com/rahult/karo
• https://github.com/rahult/karo/blob/master/CHANGELOG.md
• https://web.archive.org/web/20250421021935/http://www.vapid.dhs.org/advisories/karo-2.3.8.html
• http://www.vapidlabs.com/advisory.php?v=63
• https://www.openwall.com/lists/oss-security/2014/07/07/22
• https://github.com/advisories/GHSA-qfwq-chf4-jvwg