CVE-2013-7086: Growlnotify Message Handling Arbitrary Command Execution

December 18, 2013 (updated August 28, 2017)

Code located in: ./lib/webbynode/notify.rb does not fully sanitize user supplied input before passing it to the shell via %x. Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters.

References

www.vapid.dhs.org/advisories/webbynode-command-inj.html
github.com/webbynode/webbynode/pull/85

Detect and mitigate CVE-2013-7086 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →