oss-sec mailing list archives
Re: Remote Command Injection in Ruby Gem sfpagent 0.4.14
From: cve-assign () mitre org
Date: Fri, 18 Apr 2014 02:55:55 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html Version 0.4.15 fixes this issue. The list variable generated from the user supplied JSON[body] input is passed directly to the system() shell on line 649. If a user supplies a module name with shell metacharacters like ; they might be able to execute shell commands
Use CVE-2014-2888. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTUMrDAAoJEKllVAevmvmsMA4H/0WXlMYwKrXkdr2124LOXXMg F4iC48iX0Nz+AxOtjM4jqgmPYhbq5Dvlw7MMZn0chCaB1o419Q1rb8kQ4OOBLXhC ief+wCLEgjARpfEGxp+m9RQFR9YRyDIYrVNGqB4VfiPiG3HpkVX6WIKDXst56/fq a0haXFLV5nm7sIHjc0Q+/LIJYEgiaQDWIKgBo3S/X1S0+uAY+M0Tt84XcPT4cyU7 qXoDWxPDqhlNangZyz/k8bka5BcFfM50pTVsd/xVTDjP7zWcot+6rhrwu5DNzGOv f1BRsTBjH1+QeFOGiHabxe3O18QGt0FWFCaR0MEseEScNRIYbxImxfn9Ki4rcec= =Y1KO -----END PGP SIGNATURE-----
Current thread:
- Remote Command Injection in Ruby Gem sfpagent 0.4.14 Larry W. Cashdollar (Apr 15)
- Re: Remote Command Injection in Ruby Gem sfpagent 0.4.14 cve-assign (Apr 18)