CVE-2014-4995: Command injection vulnerability
(updated )
VladTheEnterprising Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/my.cnf.#{target_host} file they can overwrite arbitrary files, gain access to the MySQL root password, or inject arbitrary commands.
References
Detect and mitigate CVE-2014-4995 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →