Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2014-2888
Vulnerability from gsd - Updated: 2014-04-16 00:00Details
sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
input is not properly sanitized when handling module names with shell
metacharacters. This may allow a context-dependent attacker to execute
arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-2888",
"description": "lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request.",
"id": "GSD-2014-2888",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2014-2888"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "sfpagent",
"purl": "pkg:gem/sfpagent"
}
}
],
"aliases": [
"CVE-2014-2888",
"OSVDB-105971"
],
"details": "sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]\ninput is not properly sanitized when handling module names with shell\nmetacharacters. This may allow a context-dependent attacker to execute\narbitrary commands.\n",
"id": "GSD-2014-2888",
"modified": "2014-04-16T00:00:00.000Z",
"published": "2014-04-16T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2888"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2888",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140415 Remote Command Injection in Ruby Gem sfpagent 0.4.14",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/04/16/1"
},
{
"name": "[oss-security] 20140418 Re: Remote Command Injection in Ruby Gem sfpagent 0.4.14",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/04/18/4"
},
{
"name": "20140418 Remote Command Injection in Ruby Gem sfpagent 0.4.14",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Apr/243"
},
{
"name": "http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html",
"refsource": "MISC",
"url": "http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-2888",
"cvss_v2": 7.5,
"date": "2014-04-16",
"description": "sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]\ninput is not properly sanitized when handling module names with shell\nmetacharacters. This may allow a context-dependent attacker to execute\narbitrary commands.\n",
"gem": "sfpagent",
"osvdb": 105971,
"patched_versions": [
"\u003e= 0.4.15"
],
"title": "sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2888"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.4.14",
"affected_versions": "All versions up to 0.4.14",
"credit": "Larry W. Cashdollar",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-05-10",
"description": "The gem contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.",
"fixed_versions": [
"0.4.15"
],
"identifier": "CVE-2014-2888",
"identifiers": [
"CVE-2014-2888"
],
"not_impacted": "All versions after 0.4.14",
"package_slug": "gem/sfpagent",
"pubdate": "2014-04-23",
"solution": "Upgrade to version 0.4.15 or above.",
"title": "Remote Command Execution using JSON[body]",
"urls": [
"http://seclists.org/oss-sec/2014/q2/118",
"http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html"
],
"uuid": "ccf893c3-ed16-4199-8518-104b88a1599f"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.13:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.12:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.4:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.7:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.6:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.10:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.9:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.8:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.7:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.0.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.11:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.10:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.4:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.8:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.7:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.14:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.13:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.6:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.9:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.8:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.10:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.6:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.12:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.11:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.4:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "0.4.14",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.7:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.6:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.4.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.9:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.8:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.3.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.4:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.2.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.10:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.9:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:herry:sfpagent:0.1.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2888"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140418 Re: Remote Command Injection in Ruby Gem sfpagent 0.4.14",
"refsource": "MLIST",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2014/04/18/4"
},
{
"name": "http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html"
},
{
"name": "[oss-security] 20140415 Remote Command Injection in Ruby Gem sfpagent 0.4.14",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2014/04/16/1"
},
{
"name": "20140418 Remote Command Injection in Ruby Gem sfpagent 0.4.14",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2014/Apr/243"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2014-05-10T04:06Z",
"publishedDate": "2014-04-23T15:55Z"
}
}
}