Platform
ruby
Component
festivaltts4r
Fixed in
0.2.1
CVE-2016-10194 describes a critical remote code execution (RCE) vulnerability affecting versions of the festivaltts4r Ruby gem up to and including 0.2.0. This flaw allows attackers to execute arbitrary commands on the system by injecting shell metacharacters into specific methods. The vulnerability resides within the lib/festivaltts4r/festival4r.rb file, specifically the tospeech and tomp3 methods. A patch is available; upgrading is the recommended solution.
The impact of CVE-2016-10194 is severe. Successful exploitation allows an attacker to gain complete control over the server running the vulnerable Ruby application. This could involve installing malware, stealing sensitive data, modifying system files, or using the compromised server as a launchpad for further attacks against other systems on the network. The ability to execute arbitrary commands means the attacker's actions are limited only by their privileges on the affected system. This vulnerability shares similarities with other command injection flaws where improper input sanitization leads to shell command execution.
CVE-2016-10194 was publicly disclosed in 2017. While no active exploitation campaigns have been definitively linked to this specific CVE, the ease of exploitation and the potential for significant impact make it a persistent risk. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the feasibility of command execution.
Exploit Status
EPSS
1.01% (77% percentile)
CVSS Vector
The primary mitigation for CVE-2016-10194 is to upgrade to a patched version of the festivaltts4r gem. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input sanitization on the tospeech and tomp3 methods to prevent the injection of shell metacharacters. Additionally, consider using a Web Application Firewall (WAF) to filter potentially malicious input. Regularly scan your Ruby dependencies for known vulnerabilities using tools like Bundler Audit. After upgrading, verify the fix by attempting to execute a simple command through the tospeech or tomp3 methods and confirming that it is properly sanitized.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2016-10194 is a critical remote code execution vulnerability in the festivaltts4r Ruby gem, allowing attackers to execute arbitrary commands via shell metacharacters in the tospeech or tomp3 methods.
You are affected if you are using the festivaltts4r gem in versions 0.2.0 or earlier. Check your Gemfile.lock to determine your version.
Upgrade to a patched version of the festivaltts4r gem. If upgrading is not possible, implement strict input sanitization on the vulnerable methods.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's ease of exploitation makes it a persistent risk.
Refer to the CVE details on the NVD website: https://nvd.nist.gov/vuln/detail/CVE-2016-10194
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.