sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution
Published: April 16, 2014
SECURITY IDENTIFIERS
- CVE: CVE-2014-2888 (NVD)
- GHSA: GHSA-vm28-mrm7-fpjq
- OSVDB: OSVDB-105971
GEM
SEVERITY
CVSS v2.0: 7.5 (High)
PATCHED VERSIONS
>= 0.4.15
DESCRIPTION
sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.