Miggo Logo

CVE-2014-2322: Arabic Prawn allows remote attackers to execute arbitrary commands via shell metacharacters

7.5

CVSS Score

Basic Information

EPSS Score
0.78765%
CWE
-
Published
10/24/2017
Updated
11/5/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
arabic-prawnrubygems<= 0.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from multiple instances in lib/string_utf_support.rb where url and downloaded_file variables are directly interpolated into shell commands executed via %x{} (e.g., lines 426, 443, 445). These variables are not sanitized, allowing attackers to inject commands via metacharacters. While the exact method names are not specified in the advisory, the code structure and vulnerability description confirm that these patterns exist in the file, leading to high confidence in the assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`li*/strin*_ut*_support.r*` in t** *r**i* Pr*wn *.*.* **m *or Ru*y *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* s**ll m*t****r**t*rs in t** (*) *ownlo****_*il* or (*) url v*ri**l*.

Reasoning

T** vuln*r**ility st*ms *rom multipl* inst*n**s in `li*/strin*_ut*_support.r*` w**r* `url` *n* `*ownlo****_*il*` v*ri**l*s *r* *ir**tly int*rpol*t** into s**ll *omm*n*s *x**ut** vi* `%x{}` (*.*., lin*s ***, ***, ***). T**s* v*ri**l*s *r* not s*nitiz*