CVE-2014-10075 – karo

Package

Manager: gem
Name: karo
Vulnerable Version: >=0 <=2.5.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03343 pctl0.86818

Details

karo Metacharacter Handling Remote Command Execution The karo gem through 2.5.2 for Ruby allows Remote command injection via the host field. A flaw in `db.rb` is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands. In particular lines 76 and 95 (as of `2014-06-01`) pass unsanitized user supplied input to the command line. ``` 73- host = "{@configuration["user"]}@{@configuration["host"]}" 74- cmd = "ssh #{host} cat {server_db_config_file}" 75- 76: server_db_config_output = `{cmd}` 79- -- 89- def drop_and_create_local_database(local_db_config) 90- command = case local_db_config["adapter"] 91- when "mysql2" 93- when "postgresql" 95- dropdb -h #{local_db_config["host"]} -U #{local_db_config["username"]} --if-exists #{local_db_config["database"]} ``` If this gem is used in the context of a rails application malicious input could lead to remote command injection. As of version 2.5.2 the affected code lines have not changed.

Metadata

Created: 2022-05-14T01:49:44Z
Modified: 2025-08-15T13:55:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qfwq-chf4-jvwg/GHSA-qfwq-chf4-jvwg.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-qfwq-chf4-jvwg
Finding: F422
Auto approve: 1