RubySec

Providing security resources for the Ruby community

CVE-2014-2888 (sfpagent): sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution

ADVISORIES

GEM

sfpagent

SEVERITY

CVSS v2: 7.5 (High)

PATCHED VERSIONS

  • >= 0.4.15

DESCRIPTION

sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.