ADVISORIES

• CVE-2014-10075 (NVD)
• GHSA-qfwq-chf4-jvwg
• OSVDB-108573

GEM

karo

LIBRARY

RubyGems

FRAMEWORK

rubygems

PLATFORM

rubygems

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

None.

DESCRIPTION

The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.

karo Gem for Ruby contains a flaw in db.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

• CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

• Severity: CRITICAL - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2014-10075
• http://www.vapid.dhs.org/advisories/karo-2.3.8.html
• http://www.vapidlabs.com/advisory.php?v=63
• http://osvdb.org/show/osvdb/108573
• https://github.com/advisories/GHSA-qf67-vmxx-gp4jGHSA-qfwq-chf4-jvwg.json
• https://github.com/rahult/karo
• https://github.com/rahult/karo/blob/master/CHANGELOG.md