The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.