VYPR
← All advisories
High severity8.8NVD Advisory· Published Oct 17, 2017· Updated May 13, 2026

CVE-2014-9489

CVE-2014-9489

Description

The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gollumRubyGems
< 3.1.13.1.1
gollum-libRubyGems
< 4.0.14.0.1

Affected products

3

Patches

1
4520d973c81f

Fix security issue with git grep -O

https://github.com/gollum/grit_adapterDawa OmettoDec 4, 2014via ghsa
commit
1 file changed · +3 0
  • lib/grit_adapter/git_layer_grit.rb+3 0 modified
    @@ -136,6 +136,8 @@ def exist?
       
       def grep(query, options={})
         ref = options[:ref] ? options[:ref] : "HEAD"
+        query = Shellwords.split(query).select {|q| !(q =~ /^(-O)|(--open-files-in-pager)/) }
+        query = Shellwords.join(query)
         args = [{}, '-I', '-i', '-c', query, ref, '--']
         args << options[:path] if options[:path]
         result = @git.grep(*args).split("\n")
@@ -165,6 +167,7 @@ def rev_list(options, *refs)
       
       def ls_files(query, options = {})
         options[:ref] = options[:ref] ? options[:ref] : "HEAD"
+        query = Shellwords.shellescape(query)
         @git.ls_files({}, "*#{query}*").split("\n")
       end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.