Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2014-1834
Vulnerability from gsd - Updated: 2014-01-14 00:00Details
Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request
function that is triggered when a semi-colon (;) is injected into a username
or password. This may allow a context-dependent attacker to inject arbitrary
commands if the gem is used in a rails application.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-1834",
"description": "The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to inject arbitrary code by adding a semi-colon in their username or password.",
"id": "GSD-2014-1834"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "echor",
"purl": "pkg:gem/echor"
}
}
],
"aliases": [
"CVE-2014-1834",
"OSVDB-102129"
],
"details": "Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request\nfunction that is triggered when a semi-colon (;) is injected into a username\nor password. This may allow a context-dependent attacker to inject arbitrary\ncommands if the gem is used in a rails application.\n",
"id": "GSD-2014-1834",
"modified": "2014-01-14T00:00:00.000Z",
"published": "2014-01-14T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1834"
}
],
"schema_version": "1.4.0",
"summary": "echor Gem for Ruby backplane.rb perform_request Function Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1834",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to inject arbitrary code by adding a semi-colon in their username or password."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140131 Re: echor 0.1.6 Ruby Gem exposes login credentials",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/01/31/10"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-1834",
"date": "2014-01-14",
"description": "Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request\nfunction that is triggered when a semi-colon (;) is injected into a username\nor password. This may allow a context-dependent attacker to inject arbitrary\ncommands if the gem is used in a rails application.\n",
"gem": "echor",
"osvdb": 102129,
"title": "echor Gem for Ruby backplane.rb perform_request Function Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1834"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=0.0.0",
"affected_versions": "All versions",
"credit": "Larry W. Cashdollar - Vapid Labs",
"cvss_v2": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-77",
"CWE-937"
],
"date": "2018-02-14",
"description": "The echor Gem for Ruby contains a flaw in `backplane.rb` in the `perform_request` function that is triggered when a semi-colon `;` is injected into a username or password. This may allow a context-dependent attacker to inject arbitrary commands if the gem is used in a RoR application.",
"fixed_versions": [],
"identifier": "CVE-2014-1834",
"identifiers": [
"CVE-2014-1834"
],
"package_slug": "gem/echor",
"pubdate": "2018-02-02",
"solution": "We are not currently aware of a solution for this vulnerability.",
"title": "Arbitrary Command Execution",
"urls": [
"http://osvdb.org/show/osvdb/102129"
],
"uuid": "57ca8b36-cfb8-4d66-92f7-e22a44851a9d"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:echor_project:echor:0.1.6:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1834"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to inject arbitrary code by adding a semi-colon in their username or password."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140131 Re: echor 0.1.6 Ruby Gem exposes login credentials",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2014/01/31/10"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2018-02-14T15:12Z",
"publishedDate": "2018-02-02T21:29Z"
}
}
}