ADVISORIES
- CVE-2014-10075 (NVD)
- GHSA-qfwq-chf4-jvwg
- OSVDB-108573
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
CVSS v2.0: 7.5 (High)
PATCHED VERSIONS
None.
DESCRIPTION
The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.
karo Gem for Ruby contains a flaw in db.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
-
CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
-
Severity: CRITICAL - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2014-10075
- https://github.com/rahult/karo
- https://github.com/rahult/karo/blob/master/CHANGELOG.md
- https://web.archive.org/web/20250421021935/http://www.vapid.dhs.org/advisories/karo-2.3.8.html
- http://www.vapidlabs.com/advisory.php?v=63
- https://www.openwall.com/lists/oss-security/2014/07/07/22
- https://github.com/advisories/GHSA-qfwq-chf4-jvwg