PT-2014-4624 · Ruby · Arabic Prawn

Larry W. Cashdollar

Published

2014-05-02

Updated

2017-10-24

CVE-2014-2322

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Arabic Prawn gem version 0.0.1

Description The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the downloaded file or url variable. This is due to a problem in the lib/string utf support.rb file of the Arabic Prawn gem for Ruby.

Recommendations For Arabic Prawn gem version 0.0.1, consider disabling the use of the downloaded file and url variables until a patch is available to prevent the execution of arbitrary commands. Avoid using the downloaded file and url variables in sensitive operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2014-2322

GHSA-HGMW-X865-HF9X

Affected Products

Arabic Prawn

PT-2014-4624 · Ruby · Arabic Prawn

CVE-2014-2322

Related Identifiers

Affected Products

References · 7