CVE-2014-4996: Improper Link Resolution Before File Access ('Link Following')

January 10, 2018 (updated January 30, 2018)

lib/vlad/dba/mysql.rb in the VladTheEnterprising gem for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.#{target_host}.

References

www.openwall.com/lists/oss-security/2014/07/07/14
www.openwall.com/lists/oss-security/2014/07/17/5
www.securityfocus.com/bid/68731
www.vapid.dhs.org/advisories/VladTheEnterprising-0.2.html
exchange.xforce.ibmcloud.com/vulnerabilities/94744
nvd.nist.gov/vuln/detail/CVE-2014-4996

Detect and mitigate CVE-2014-4996 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →