CVE-2014-3496

CWE-94Code InjectionCWE-78OS Command Injection5 documents5 sources
Severity
10.0CRITICAL
EPSS
5.4%
top 9.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat OpenshiftRedhat Openshift Origin
Timeline
PublishedJun 20
Latest updateMay 13

Description

cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 through 2.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a Source-Url ending with a (1) .tar.gz, (2) .zip, (3) .tgz, or (4) .tar file extension in a cartridge manifest file.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

NVDredhat/openshift_origin1.2.8, 2.1, 2.1.1+2
NVDredhat/openshift10 versions+9

🔴Vulnerability Details

2
GHSA
GHSA-9hjx-rfg8-xmx5: cartridge_repository2022-05-13
CVEList
CVE-2014-3496: cartridge_repository2014-06-20

📋Vendor Advisories

1
Red Hat
Origin: Command execution as root via downloadable cartridge source-url2014-06-17

💬Community

1
Bugzilla
CVE-2014-3496 OpenShift Origin: Command execution as root via downloadable cartridge source-url2014-06-17
CVE-2014-3496 (CRITICAL CVSS 10) | cartridge_repository.rb in OpenShif | cvebase.io