CVE-2024-42360 (sequenceserver): Command Injection in sequenceserver gem

Command Injection in sequenceserver gem

Published: August 13, 2024

SECURITY IDENTIFIERS

CVE: CVE-2024-42360 (NVD)
GHSA: GHSA-qv32-5wm2-p32h
Vendor Advisory: https://github.com/wurmlab/sequenceserver/security/advisories/GHSA-qv32-5wm2-p32h

GEM

sequenceserver

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

>= 3.1.2

DESCRIPTION

Impact

Several HTTP endpoints did not properly sanitize user input and/or query parameters. This could be exploited to inject and run unwanted shell commands

Patches

Fixed in 3.1.2

Workarounds

No known workarounds

https://github.com/wurmlab/sequenceserver/security/advisories/GHSA-qv32-5wm2-p32h
https://github.com/wurmlab/sequenceserver/commit/457e52709f7f9ed2fceed59b3db564cb50785dba
https://github.com/advisories/GHSA-qv32-5wm2-p32h

RubySec