Published:2017/01/24 Last Updated:2017/01/24
JVN#50197114
smalruby-editor vulnerable to OS command injection
Overview
smalruby-editor contains an OS command injection vulnerability.
Products Affected
- smalruby-editor v0.4.0 and earlier
Description
smalruby-editor provided by Ruby Programming Shounendan is web-based editor to create Ruby programs. smalruby-editor containts an OS command injection vulnerability (CWE-78).
Impact
A remote attacker may execute arbitrary OS command on the server where smalruby-editor resides.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
Ruby Programming Shounendan | Vulnerable | 2017/01/24 | Ruby Programming Shounendan website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score:
7.3
CVSS v2
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score:
7.5
Credit
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2017-2096 |
JVN iPedia |
JVNDB-2017-000010 |