CVE-2014-0156: 
Ruby vulnerability analysis and mitigation

CVE-2014-0156 is an OS command injection vulnerability discovered in the Awesome spawn Ruby gem. The vulnerability allows execution of additional commands passed to Awesome spawn as arguments. The vulnerability was assigned by Red Hat, Inc. on December 3, 2013, and affects versions from 1.2.0 up to (excluding) 1.5.0 of the ManageIQ Awesome spawn package (NVD, RubySec).

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection). It has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS v2.0 base score of 7.5 (HIGH) with vector string (AV:N/AC:L/Au:N/C:P/I:P/A:P) (NVD).

If untrusted input is included in command arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the affected system. For example, a malicious actor could inject commands through parameters like AwesomeSpawn.run('ls',:params => {'-l' => ";touch haxored"}) (RubySec).

Users should upgrade to patched versions ~> 1.2.0 or >= 1.3.0 of the awesomespawn gem. A fix was implemented by separating command line building and sanitizing into its own class ([GitHub Patch](https://github.com/ManageIQ/awesomespawn/commit/e524f85f1c6e292ef7d117d7818521307ac269ff)).