Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Thor by rubyonrails

    CVE-2025-54314 (GCVE-0-2025-54314)

    Vulnerability from nvd – Published: 2025-07-20 00:00 – Updated: 2025-08-10 00:19 Disputed
    VLAI
    Summary
    Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    rubyonrails Thor Affected: 0 , < 1.4.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54314",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-21T18:31:26.798255Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-21T20:37:14.593Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Thor",
              "vendor": "rubyonrails",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because \"the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments.\""
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 2.8,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-10T00:19:19.943Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa"
            },
            {
              "url": "https://hackerone.com/reports/3260153"
            },
            {
              "url": "https://github.com/rails/thor/pull/897"
            },
            {
              "url": "https://github.com/rails/thor/releases/tag/v1.4.0"
            },
            {
              "url": "https://github.com/github/advisory-database/pull/5912#issuecomment-3169255309"
            }
          ],
          "tags": [
            "disputed"
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-54314",
        "datePublished": "2025-07-20T00:00:00.000Z",
        "dateReserved": "2025-07-20T00:00:00.000Z",
        "dateUpdated": "2025-08-10T00:19:19.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54314 (GCVE-0-2025-54314)

    Vulnerability from cvelistv5 – Published: 2025-07-20 00:00 – Updated: 2025-08-10 00:19 Disputed
    VLAI
    Summary
    Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    rubyonrails Thor Affected: 0 , < 1.4.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54314",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-21T18:31:26.798255Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-21T20:37:14.593Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Thor",
              "vendor": "rubyonrails",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because \"the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments.\""
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 2.8,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-10T00:19:19.943Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa"
            },
            {
              "url": "https://hackerone.com/reports/3260153"
            },
            {
              "url": "https://github.com/rails/thor/pull/897"
            },
            {
              "url": "https://github.com/rails/thor/releases/tag/v1.4.0"
            },
            {
              "url": "https://github.com/github/advisory-database/pull/5912#issuecomment-3169255309"
            }
          ],
          "tags": [
            "disputed"
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-54314",
        "datePublished": "2025-07-20T00:00:00.000Z",
        "dateReserved": "2025-07-20T00:00:00.000Z",
        "dateUpdated": "2025-08-10T00:19:19.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }