ADVISORIES

• CVE-2014-2322 (NVD)
• GHSA-hgmw-x865-hf9x
• OSVDB-104365
• Vendor Advisory

GEM

Arabic-Prawn

SEVERITY

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

None.

DESCRIPTION

Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands.

"lib/string_utf_support.rb" in the Arabic Prawn 0.0.1 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) downloaded_file or (2) url variable.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2014-2322
• http://www.openwall.com/lists/oss-security/2014/03/10/8
• http://www.openwall.com/lists/oss-security/2014/03/12/6
• https://web.archive.org/web/20160306235714/http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html
• http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html
• http://www.vapidlabs.com/advisory.php?v=16
• https://github.com/advisories/GHSA-hgmw-x865-hf9x
• https://rubygems.org/gems/Arabic-Prawn