GitHub Advisory DatabaseGHSA-95XQ-V4M2-FQ3RGitLab Grit Gem for Ruby contains a flaw allowing arbitrary commands to be executed
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
57.5%
The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature.
GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script. The issue is triggered when input passed via the code search box is not properly sanitized, which allows strings to be evaluated by the shell. This may allow a remote attacker to execute arbitrary commands.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| gitlab-grit | lt | 2.6.1 |
References
github.com/advisories/GHSA-95xq-v4m2-fq3r
github.com/gitlabhq/grit/commit/40f33a4f4f5604c2a531a1d86901fd81ac4402c4
github.com/rubysec/ruby-advisory-db/blob/master/gems/gitlab-grit/CVE-2013-4489.yml
gitlab.com/gitlab-org/gitlab-grit/-/blob/v2.6.1/History.txt?ref_type=tags#L2
nvd.nist.gov/vuln/detail/CVE-2013-4489
www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
57.5%