PT-2018-4238 · Ruby · Vladtheenterprising

Larry W. Cashdollar

Published

2018-01-10

Updated

2022-05-14

CVE-2014-4996

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions VladTheEnterprising gem version 0.2

Description The issue allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.#{target host}. This is possible due to a vulnerability in the lib/vlad/dba/mysql.rb file of the VladTheEnterprising gem.

Recommendations For version 0.2 of the VladTheEnterprising gem, consider restricting access to the lib/vlad/dba/mysql.rb file to minimize the risk of exploitation. As a temporary workaround, avoid using the /tmp/my.cnf.#{target host} file in the affected lib/vlad/dba/mysql.rb until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

CVE-2014-4996

GHSA-X4VJ-279X-QWF2

Affected Products

Vladtheenterprising

PT-2018-4238 · Ruby · Vladtheenterprising

CVE-2014-4996

Weakness Enumeration

Related Identifiers

Affected Products

References · 8