CVE-2014-2322: Arabic Prawn allows remote attackers to execute arbitrary commands via shell metacharacters
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78765%
CWE
-
Published
10/24/2017
Updated
11/5/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
arabic-prawn | rubygems | <= 0.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from multiple instances in lib/string_utf_support.rb
where url
and downloaded_file
variables are directly interpolated into shell commands executed via %x{}
(e.g., lines 426, 443, 445). These variables are not sanitized, allowing attackers to inject commands via metacharacters. While the exact method names are not specified in the advisory, the code structure and vulnerability description confirm that these patterns exist in the file, leading to high confidence in the assessment.