CVE-2014-9489

Name of the Vulnerable Software and Affected Versions gollum versions prior to 3.1.1 gollum-lib versions prior to 4.0.1

Description The issue allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags when the string master is in any of the wiki documents. This is due to a vulnerability in the gollum-grit adapter Ruby gem dependency in gollum and the gollum-lib gem dependency in gollum-lib.

Recommendations For gollum versions prior to 3.1.1, update to version 3.1.1 or later. For gollum-lib versions prior to 4.0.1, update to version 4.0.1 or later. As a temporary workaround, consider restricting access to the -O and --open-files-in-pager flags until a patch is applied.