RubySec

Providing security resources for the Ruby community

CVE-2019-1010306 (slanger): Arbitrary command execution in slanger

ADVISORIES

GEM

slanger

SEVERITY

CVSS v3: 9.8 (Critical)

PATCHED VERSIONS

  • >= 0.6.1

DESCRIPTION

A remote attacker can execute arbitrary commands by sending a crafted request to the server.

This is due to the use of Oj.load instead of Oj.strict_load when processing messages.

Note that slanger is no longer maintained.