CVE-2014-4998: Command injection vulnerability

January 10, 2018 (updated January 30, 2018)

The script /test/tc_database.rb exposes MySQL password information in plaintext in the process table. If this Gem is used in the context of a RoR application a remote attacker might be able to inject commands via the #{user} and #{password} variables as they are not sanitized before being passed to the shell.

References

www.vapid.dhs.org/advisories/lean-ruport-0.3.8.html

Detect and mitigate CVE-2014-4998 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →