PT-2013-3482 · Ruby · Kelredd-Pruview

Larry W. Cashdollar

Published

2013-04-25

Updated

2017-10-24

CVE-2013-1947

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions kelredd-pruview gem version 0.3.8

Description The issue allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to files such as document.rb, video.rb, or video image.rb.

Recommendations For kelredd-pruview gem version 0.3.8, consider restricting the use of the filename argument in the affected files until a patch is available. As a temporary workaround, validate and sanitize filename inputs to prevent the injection of shell metacharacters.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2013-1947

GHSA-78J3-7WPM-QHVP

Affected Products

Kelredd-Pruview

PT-2013-3482 · Ruby · Kelredd-Pruview

CVE-2013-1947

Weakness Enumeration

Related Identifiers

Affected Products

References · 7