Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: slanger
date: 2019-07-16
url: https://github.com/stevegraham/slanger/pull/238
cve: 2019-1010306
title: Arbitrary command execution in slanger
description: |
  A remote attacker can execute arbitrary commands by sending a crafted request to the server.

  This is due to the use of `Oj.load` instead of `Oj.strict_load` when processing messages.

  Note that `slanger` is no longer maintained.
cvss_v3: '9.8'
patched_versions:
- ">= 0.6.1"