Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NXhxLXY0bTItZnEzcs4AAei0
GitLab Grit Gem for Ruby contains a flaw allowing arbitrary commands to be executed
The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature.
GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script. The issue is triggered when input passed via the code search box is not properly sanitized, which allows strings to be evaluated by the shell. This may allow a remote attacker to execute arbitrary commands.
Permalink: https://github.com/advisories/GHSA-95xq-v4m2-fq3rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NXhxLXY0bTItZnEzcs4AAei0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 10 months ago
Identifiers: GHSA-95xq-v4m2-fq3r, CVE-2013-4489
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-4489
- https://www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/
- https://gitlab.com/gitlab-org/gitlab-grit/-/blob/v2.6.1/History.txt?ref_type=tags#L2
- https://github.com/gitlabhq/grit/commit/40f33a4f4f5604c2a531a1d86901fd81ac4402c4
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/gitlab-grit/CVE-2013-4489.yml
- https://github.com/advisories/GHSA-95xq-v4m2-fq3r
Blast Radius: 0.0
Affected Packages
rubygems:gitlab-grit
Dependent packages: 18Dependent repositories: 380
Downloads: 3,185,495 total
Affected Version Ranges: < 2.6.1
Fixed in: 2.6.1
All affected versions: 1.0.0, 2.5.0, 2.5.1, 2.5.2, 2.6.0
All unaffected versions: 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3