Vulnerability Details : CVE-2014-2888
Potential exploit
lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request.
Products affected by CVE-2014-2888
- cpe:2.3:a:herry:sfpagent:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.13:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.12:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.4:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.3:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.7:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.6:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.10:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.9:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.1:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.0:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.8:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.7:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.0:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.0.1:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.11:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.10:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.2:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.1:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.5:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.4:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.8:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.7:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.14:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.13:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.6:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.5:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.9:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.8:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.0:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.10:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.3:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.2:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.6:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.5:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.12:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.11:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.4:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.3:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.7:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.6:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.4.5:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.9:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.8:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.1:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.3.0:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.4:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.3:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.2.2:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.10:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.9:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.2:*:*:*:*:ruby:*:*
- cpe:2.3:a:herry:sfpagent:0.1.1:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-2888
1.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2888
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2014-2888
-
http://www.openwall.com/lists/oss-security/2014/04/18/4
oss-security - Re: Remote Command Injection in Ruby Gem sfpagent 0.4.14Exploit
-
http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html
Exploit
-
http://www.openwall.com/lists/oss-security/2014/04/16/1
oss-security - Remote Command Injection in Ruby Gem sfpagent 0.4.14
-
http://seclists.org/fulldisclosure/2014/Apr/243
Full Disclosure: Remote Command Injection in Ruby Gem sfpagent 0.4.14
Jump to