Symlink File Overwrite Affecting vladtheenterprising package, versions >=0.0.0

Snyk CVSS

Attack Complexity High

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 0.04% (6^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-VLADTHEENTERPRISING-20183
published 29 Jun 2014
disclosed 29 Jun 2014
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 29 Jun 2014

CVE-2014-4995 Open this link in a new tab CWE-208 Open this link in a new tab

Overview

VladTheEnterprising is a series of packages to help using the Vlad gem to manage "enterprise" environments. Affected versions of this Gem contain a flaw causing the program to create temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/my.cnf.#{target_host} file they can overwrite arbitrary files, gain access to the MySQL root password, or inject arbitrary commands.

References

http://rubysec.com/advisories/CVE-2014-4995