CVE-2014-4995: Command injection vulnerability

January 10, 2018 (updated January 30, 2018)

VladTheEnterprising Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/my.cnf.#{target_host} file they can overwrite arbitrary files, gain access to the MySQL root password, or inject arbitrary commands.

References

www.vapid.dhs.org/advisories/VladTheEnterprising-0.2.html

Code Behaviors & Features

Detect and mitigate CVE-2014-4995 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →