Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: bootstrap-sass
date: 2019-04-04
url: https://github.com/twbs/bootstrap-sass/issues/1195
cve: 2019-10842
title: Remote code execution in bootstrap-sass
description: "Arbitrary code execution (via backdoor code, when \ndownloaded from
  rubygems.org) was discovered in \nbootstrap-sass 3.2.0.3.\n\nUsers are advised to
  upgrade immediately to 3.2.0.4\n\nAn unauthenticated attacker can craft the ___cfduid
  cookie value\nwith base64 arbitrary code to be executed via eval(), which can\nbe
  leveraged to execute arbitrary code on the target system. \n(Note that there are
  three underscore characters in the cookie name. \nThis is unrelated to the __cfduid
  cookie that is legitimately used by \nCloudflare.)\n"
unaffected_versions:
- "<= 3.2.0.2"
patched_versions:
- ">= 3.2.0.4"