Arbitrary Code Execution Affecting hiera package, versions <1.3.4
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-HIERA-20426
- published 14 Sep 2017
- disclosed 6 May 2014
- credit Unknown
How to fix?
Upgrade hiera
to version 1.3.4 or higher.
Overview
hiera
is a pluggable data store for hierarcical data.
Affected versions of the package are vulnerable to Arbitrary Code Execution. The current directory ('.') is on the load path for Ruby 1.8.7. If users create ruby source files with names that correspond to those that hiera trys to load, it may result in loading and the execution of these files.