CVE-2014-2888: Remote Command Execution using JSON[body]

April 23, 2014 (updated May 10, 2014)

The gem contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.

References

seclists.org/oss-sec/2014/q2/118
www.vapid.dhs.org/advisories/spfagent-remotecmd.html

Detect and mitigate CVE-2014-2888 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →