Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2015-7314
Vulnerability from gsd - Updated: 2015-09-20 00:00Details
The gollum gem contains a flaw in its upload file functionality that can
allow arbitrary file access. This occurs due to a lack of type checking
when handling temporary files during the upload process.
Aliases
{
"GSD": {
"alias": "CVE-2015-7314",
"description": "The Precious module in gollum before 4.0.1 allows remote attackers to read arbitrary files by leveraging the lack of a certain temporary-file check.",
"id": "GSD-2015-7314"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "gollum",
"purl": "pkg:gem/gollum"
}
}
],
"aliases": [
"CVE-2015-7314",
"OSVDB-127779",
"GHSA-m2q3-53fq-7h66"
],
"details": "The gollum gem contains a flaw in its upload file functionality that can\nallow arbitrary file access. This occurs due to a lack of type checking\nwhen handling temporary files during the upload process.\n",
"id": "GSD-2015-7314",
"modified": "2015-09-20T00:00:00.000Z",
"published": "2015-09-20T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1"
}
],
"schema_version": "1.4.0",
"summary": "gollum Upload File Functionality Permits Arbitrary File Access"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7314",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Precious module in gollum before 4.0.1 allows remote attackers to read arbitrary files by leveraging the lack of a certain temporary-file check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1",
"refsource": "CONFIRM",
"url": "https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1"
},
{
"name": "JVN#27548431",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN27548431/index.html"
},
{
"name": "JVNDB-2015-000149",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000149"
},
{
"name": "https://github.com/gollum/gollum/issues/1070",
"refsource": "CONFIRM",
"url": "https://github.com/gollum/gollum/issues/1070"
},
{
"name": "[oss-security] 20150922 Re: CVE Request: gollum information disclosure vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/09/22/12"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-7314",
"date": "2015-09-20",
"description": "The gollum gem contains a flaw in its upload file functionality that can\nallow arbitrary file access. This occurs due to a lack of type checking\nwhen handling temporary files during the upload process.\n",
"gem": "gollum",
"ghsa": "m2q3-53fq-7h66",
"osvdb": 127779,
"patched_versions": [
"\u003e= 4.0.1"
],
"title": "gollum Upload File Functionality Permits Arbitrary File Access",
"url": "https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.0.1",
"affected_versions": "All versions before 4.0.1",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2015-10-07",
"description": "A vulnerability allows attackers to gain read access to arbitrary files on the system.",
"fixed_versions": [
"4.0.1"
],
"identifier": "CVE-2015-7314",
"identifiers": [
"CVE-2015-7314"
],
"not_impacted": "All versions starting from 4.0.1",
"package_slug": "gem/gollum",
"pubdate": "2015-10-05",
"solution": "Upgrade to version 4.0.1 or above.",
"title": "Information disclosure vulnerability",
"urls": [
"https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1"
],
"uuid": "59e68855-90fc-4dd6-a887-cf03a132b7b4"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:gollum_project:gollum:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7314"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Precious module in gollum before 4.0.1 allows remote attackers to read arbitrary files by leveraging the lack of a certain temporary-file check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150922 Re: CVE Request: gollum information disclosure vulnerability",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2015/09/22/12"
},
{
"name": "https://github.com/gollum/gollum/issues/1070",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/gollum/gollum/issues/1070"
},
{
"name": "JVN#27548431",
"refsource": "JVN",
"tags": [
"Vendor Advisory"
],
"url": "http://jvn.jp/en/jp/JVN27548431/index.html"
},
{
"name": "https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1",
"refsource": "CONFIRM",
"tags": [
"Patch"
],
"url": "https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1"
},
{
"name": "JVNDB-2015-000149",
"refsource": "JVNDB",
"tags": [
"Vendor Advisory"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000149"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2015-10-07T14:45Z",
"publishedDate": "2015-10-06T01:59Z"
}
}
}