CVE-2014-9489 - OpenCVE

The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gollum Project	Gollum Gollum-lib Grit Adapter

Configuration 1 [-]

OR	cpe:2.3:a:gollum_project:gollum::::::::
	cpe:2.3:a:gollum_project:gollum-lib::::::::
	cpe:2.3:a:gollum_project:grit_adapter::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2015/01/03/19
http://www.securityfocus.com/bid/71499
https://github.com/gollum/gollum/issues/913
https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-17T14:00:00

Updated: 2024-08-06T13:47:41.328Z

Reserved: 2015-01-03T00:00:00

Link: CVE-2014-9489

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-10-17T14:29:00.383

Modified: 2017-11-08T16:20:11.777

Link: CVE-2014-9489

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-12-04T00:00:00", "descriptions": [{"lang": "en", "value": "The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string \"master\" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-17T13:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20150103 Re: Re: CVE request: remote code execution vulnerability in gollum < 3.1.1", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/01/03/19"}, {"name": "71499", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/71499"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gollum/gollum/issues/913"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9489", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string \"master\" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20150103 Re: Re: CVE request: remote code execution vulnerability in gollum < 3.1.1", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/01/03/19"}, {"name": "71499", "refsource": "BID", "url": "http://www.securityfocus.com/bid/71499"}, {"name": "https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7", "refsource": "CONFIRM", "url": "https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7"}, {"name": "https://github.com/gollum/gollum/issues/913", "refsource": "CONFIRM", "url": "https://github.com/gollum/gollum/issues/913"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:47:41.328Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20150103 Re: Re: CVE request: remote code execution vulnerability in gollum < 3.1.1", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/01/03/19"}, {"name": "71499", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/71499"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/gollum/gollum/issues/913"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9489", "datePublished": "2017-10-17T14:00:00", "dateReserved": "2015-01-03T00:00:00", "dateUpdated": "2024-08-06T13:47:41.328Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gollum_project:gollum:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDE42401-5796-4344-8F36-6ADAF3F9BCC3", "versionEndIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gollum_project:gollum-lib:*:*:*:*:*:*:*:*", "matchCriteriaId": "60C6C351-422D-4BA5-8A6E-AE83D7333C9F", "versionEndIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gollum_project:grit_adapter:*:*:*:*:*:*:*:*", "matchCriteriaId": "D163A425-67EC-4F51-8CD9-151DB5A5272D", "versionEndIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string \"master\" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags."}, {"lang": "es", "value": "La dependencia en Ruby gollum-grit_adapter en gollum en versiones anteriores a la 3.1.1 y la dependencia de la gema gollum-lib en las versiones anteriores a la 4.0.1 de gollum-lib, cuando la cadena \"master\" est\u00e1 en alguno de los documentos wiki, permite que usuarios autenticados remotos ejecuten c\u00f3digo arbitrario mediante las marcas -O u --open-files-in-pager."}], "id": "CVE-2014-9489", "lastModified": "2017-11-08T16:20:11.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-17T14:29:00.383", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/01/03/19"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/71499"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/gollum/gollum/issues/913"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}