<p>Upgrade <code>hiera</code> to version 1.3.4 or higher.</p>

Arbitrary Code Execution Affecting hiera package, versions <1.3.4

Snyk CVSS

Attack Complexity Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-HIERA-20426
published 14 Sep 2017
disclosed 6 May 2014
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 6 May 2014

CWE-94 Open this link in a new tab

How to fix?

Upgrade hiera to version 1.3.4 or higher.

Overview

hiera is a pluggable data store for hierarcical data.

Affected versions of the package are vulnerable to Arbitrary Code Execution. The current directory ('.') is on the load path for Ruby 1.8.7. If users create ruby source files with names that correspond to those that hiera trys to load, it may result in loading and the execution of these files.

References

Github Commit