ADVISORIES

• CVE-2014-4995 (NVD)
• GHSA-86cf-g34f-7462
• OSVDB-108728

GEM

VladTheEnterprising

SEVERITY

CVSS v3.x: 7.0 (High)

PATCHED VERSIONS

None.

DESCRIPTION

VladTheEnterprising Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/my.cnf.#{target_host} file they can overwrite arbitrary files, gain access to the MySQL root password, or inject arbitrary commands.