CVE-2014-9489: Remote Code Execution

October 17, 2017 (updated November 8, 2017)

In vulnerable versions of the gem, searching for the string -O<arbitrary command> or --open-files-in-pager <arbritary command> in the wiki’s search field will execute an arbitrary shell command. However, this will only work if the string “master” (or more precisely, the name of the git branch that gollum is using) is found in one of the wiki’s files: “master” is then interpreted as the search query, -O<arbitary code> as a command line option to git grep.

References

github.com/gollum/gollum/issues/913
github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7

Detect and mitigate CVE-2014-9489 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →