CVE-2014-10075

Name of the Vulnerable Software and Affected Versions karo gem versions 2.3.8 through 2.5.2

Description The issue allows remote command injection via the host field. A flaw in the db.rb file is triggered when handling metacharacters, which may allow a remote attacker to execute arbitrary commands. Specifically, lines 76 and 95 pass unsanitized user-supplied input to the command line. This can lead to remote command injection, particularly if the gem is used in the context of a Rails application.

Recommendations For versions 2.3.8 through 2.5.2, consider disabling the use of the host field in the db.rb file until a patch is available. Restrict access to the db.rb file to minimize the risk of exploitation. Avoid using the host field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.