CVE-2014-9489: Improper Access Control

November 16, 2017 (updated September 16, 2021)

The gollum-grit_adapter Ruby gem dependency in gollum and the gollum-lib gem dependency in gollum-lib when the string “master” is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or –open-files-in-pager flags.

References

www.openwall.com/lists/oss-security/2015/01/03/19
www.securityfocus.com/bid/71499
github.com/advisories/GHSA-q97v-764g-r2rp
github.com/gollum/gollum/issues/913
github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7
nvd.nist.gov/vuln/detail/CVE-2014-9489

Code Behaviors & Features

Detect and mitigate CVE-2014-9489 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →