CVE-2016-10194: Ruby Arbitrary Command Execution

March 3, 2017 (updated March 9, 2017)

The package festivaltts4r passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to the to_speech and to_mp3 methods in lib/festivaltts4r/festival4r.rb library.

References

github.com/spejman/festivaltts4r/issues/1

Detect and mitigate CVE-2016-10194 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →