Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2014-4994
Vulnerability from gsd - Updated: 2014-06-30 00:00Details
gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-4994",
"description": "lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames.",
"id": "GSD-2014-4994"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "gyazo",
"purl": "pkg:gem/gyazo"
}
}
],
"aliases": [
"CVE-2014-4994",
"OSVDB-108563"
],
"details": "gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.",
"id": "GSD-2014-4994",
"modified": "2014-06-30T00:00:00.000Z",
"published": "2014-06-30T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4994"
}
],
"schema_version": "1.4.0",
"summary": "gyazo Gem for Ruby client.rb Metacharacter Handling Remote Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4994",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140717 Re: Vulnerability Report for Ruby Gem codders-dataset-1.3.2.1 (etc.)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/07/17/5"
},
{
"name": "[oss-security] 20140707 Vulnerability Report for Ruby Gem gyazo-1.0.0",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/07/07/13"
},
{
"name": "http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html",
"refsource": "MISC",
"url": "http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-4994",
"date": "2014-06-30",
"description": "gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.",
"gem": "gyazo",
"osvdb": 108563,
"patched_versions": [
"\u003e= 2.0.0"
],
"title": "gyazo Gem for Ruby client.rb Metacharacter Handling Remote Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4994"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "=1.0.0",
"affected_versions": "Version 1.0.0",
"credit": "Larry W. Cashdollar, @_larry0",
"cvss_v2": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2018-01-30",
"description": "If this Gem is used in the context of a RoR app a malicious user may inject commands via `#{imagefile}` and `#{tmpfile}` using shell meta characters like `;` and sending an escaped `\\\"` if the raw option is not set.",
"fixed_versions": [],
"identifier": "CVE-2014-4994",
"identifiers": [
"CVE-2014-4994"
],
"not_impacted": "You are not impacted if you don\u0027t send user controlled data to this gem\u0027s upload method.",
"package_slug": "gem/gyazo",
"pubdate": "2018-01-10",
"solution": "There is no solution for this vulnerability at the moment.",
"title": "Command injection vulnerability",
"urls": [
"http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html"
],
"uuid": "73da6e6e-54d3-4cd2-b3f4-2518c50b3933"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:gyazo_project:gyazo:1.0.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4994"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html"
},
{
"name": "[oss-security] 20140717 Re: Vulnerability Report for Ruby Gem codders-dataset-1.3.2.1 (etc.)",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/17/5"
},
{
"name": "[oss-security] 20140707 Vulnerability Report for Ruby Gem gyazo-1.0.0",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2014/07/07/13"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2018-01-30T14:47Z",
"publishedDate": "2018-01-10T18:29Z"
}
}
}