CVE-2014-4994: Command injection vulnerability

January 10, 2018 (updated January 30, 2018)

If this Gem is used in the context of a RoR app a malicious user may inject commands via #{imagefile} and #{tmpfile} using shell meta characters like ; and sending an escaped \" if the raw option is not set.

References

www.vapid.dhs.org/advisories/gyazo-1.0.0.html

Detect and mitigate CVE-2014-4994 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →