Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2014-10075
Vulnerability from gsd - Updated: 2014-06-30 00:00Details
The karo gem 2.3.8 for Ruby allows Remote command injection via
the host field.
karo Gem for Ruby contains a flaw in db.rb that is triggered when handling
metacharacters. This may allow a remote attacker to execute arbitrary
commands.
* CWE-77 - Improper Neutralization of Special Elements used
in a Command ('Command Injection')
* Severity: CRITICAL - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Aliases
{
"GSD": {
"alias": "CVE-2014-10075",
"description": "The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.",
"id": "GSD-2014-10075"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "karo",
"purl": "pkg:gem/karo"
}
}
],
"aliases": [
"CVE-2014-10075",
"OSVDB-108573",
"GHSA-qfwq-chf4-jvwg"
],
"details": "The karo gem 2.3.8 for Ruby allows Remote command injection via\nthe host field.\n\nkaro Gem for Ruby contains a flaw in db.rb that is triggered when handling\nmetacharacters. This may allow a remote attacker to execute arbitrary\ncommands.\n\n* CWE-77 - Improper Neutralization of Special Elements used\n in a Command (\u0027Command Injection\u0027)\n\n* Severity: CRITICAL - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n",
"id": "GSD-2014-10075",
"modified": "2014-06-30T00:00:00.000Z",
"published": "2014-06-30T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-10075"
},
{
"type": "WEB",
"url": "http://www.vapid.dhs.org/advisories/karo-2.3.8.html"
},
{
"type": "WEB",
"url": "http://www.vapidlabs.com/advisory.php?v=63"
},
{
"type": "WEB",
"url": "http://osvdb.org/show/osvdb/108573"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-qf67-vmxx-gp4jGHSA-qfwq-chf4-jvwg.json"
},
{
"type": "WEB",
"url": "https://github.com/rahult/karo"
},
{
"type": "WEB",
"url": "https://github.com/rahult/karo/blob/master/CHANGELOG.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.8,
"type": "CVSS_V3"
}
],
"summary": "karo Gem for Ruby db.rb Metacharacter Handling Remote Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-10075",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The karo gem 2.3.8 for Ruby allows Remote command injection via the host field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.vapidlabs.com/advisory.php?v=63",
"refsource": "MISC",
"url": "http://www.vapidlabs.com/advisory.php?v=63"
},
{
"name": "http://www.vapid.dhs.org/advisories/karo-2.3.8.html",
"refsource": "MISC",
"url": "http://www.vapid.dhs.org/advisories/karo-2.3.8.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-10075",
"cvss_v3": 9.8,
"date": "2014-06-30",
"description": "The karo gem 2.3.8 for Ruby allows Remote command injection via\nthe host field.\n\nkaro Gem for Ruby contains a flaw in db.rb that is triggered when handling\nmetacharacters. This may allow a remote attacker to execute arbitrary\ncommands.\n\n* CWE-77 - Improper Neutralization of Special Elements used\n in a Command (\u0027Command Injection\u0027)\n\n* Severity: CRITICAL - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n",
"framework": "rubygems",
"gem": "karo",
"ghsa": "qfwq-chf4-jvwg",
"library": "rubygems",
"osvdb": 108573,
"platform": "rubygems",
"related": {
"url": [
"https://nvd.nist.gov/vuln/detail/CVE-2014-10075",
"http://www.vapid.dhs.org/advisories/karo-2.3.8.html",
"http://www.vapidlabs.com/advisory.php?v=63",
"http://osvdb.org/show/osvdb/108573",
"https://github.com/advisories/GHSA-qf67-vmxx-gp4jGHSA-qfwq-chf4-jvwg.json",
"https://github.com/rahult/karo",
"https://github.com/rahult/karo/blob/master/CHANGELOG.md"
]
},
"title": "karo Gem for Ruby db.rb Metacharacter Handling Remote Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-10075"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=2.5.2",
"affected_versions": "All versions up to 2.5.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-77",
"CWE-78",
"CWE-937"
],
"date": "2023-03-29",
"description": "The karo gem for Ruby allows Remote command injection via the host field.",
"fixed_versions": [],
"identifier": "CVE-2014-10075",
"identifiers": [
"GHSA-qfwq-chf4-jvwg",
"CVE-2014-10075"
],
"not_impacted": "",
"package_slug": "gem/karo",
"pubdate": "2022-05-14",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2014-10075",
"http://www.vapid.dhs.org/advisories/karo-2.3.8.html",
"http://www.vapidlabs.com/advisory.php?v=63",
"https://github.com/rahult/karo/blob/master/lib/karo/db.rb#L76",
"https://github.com/rahult/karo/blob/master/lib/karo/db.rb#L95",
"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/karo/CVE-2014-10075.yml",
"https://github.com/advisories/GHSA-qfwq-chf4-jvwg"
],
"uuid": "a6112d70-49da-4c4b-93ed-5693549534dc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:karo_project:karo:2.3.8:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-10075"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The karo gem 2.3.8 for Ruby allows Remote command injection via the host field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.vapidlabs.com/advisory.php?v=63",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.vapidlabs.com/advisory.php?v=63"
},
{
"name": "http://www.vapid.dhs.org/advisories/karo-2.3.8.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.vapid.dhs.org/advisories/karo-2.3.8.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2018-12-13T15:07Z",
"publishedDate": "2018-10-05T06:29Z"
}
}
}