Arbitrary command execution in slanger
Published: July 16, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2019-1010306 (NVD)
- GHSA: GHSA-rg32-m3hf-772v
- Vendor Advisory: https://github.com/stevegraham/slanger/pull/238
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
PATCHED VERSIONS
>= 0.6.1
DESCRIPTION
A remote attacker can execute arbitrary commands by sending a crafted request to the server.
This is due to the use of Oj.load instead of Oj.strict_load when processing messages.
Note that slanger is no longer maintained.