CVE-2014-4992: Command injection vulnerability

January 10, 2018 (updated January 30, 2018)

User supplied input is not properly sanitized for #{user} and #{password} in the create_user helper method. This can lead to command injection if this gem is used in the context of a RoR application. The password is also exposed to the process table listing and its hash is also going to have the same salt every time.

References

www.vapid.dhs.org/advisories/cap-strap-0.1.5.html

Detect and mitigate CVE-2014-4992 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →