ADVISORIES

• OSVDB-96425
• Vendor Advisory

GEM

redis-namespace

PATCHED VERSIONS

• ~> 1.0.4
• ~> 1.1.1
• ~> 1.2.2
• >= 1.3.1

DESCRIPTION

redis-namespace Gem for Ruby contains a flaw in the method_missing implementation. The issue is triggered when handling exec commands called via send(). This may allow a remote attacker to execute arbitrary commands.

RELATED

• http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release
• https://github.com/resque/redis-namespace/issues/65
• https://github.com/resque/redis-namespace/commit/6d839515e8a3fdc17b5fb391500fda3f919689d6
• https://security.snyk.io/vuln/SNYK-RUBY-REDISNAMESPACE-20105