PT-2013-6041 · Ruby · Sprout

Larry W. Cashdollar

Published

2013-12-12

Updated

2017-10-24

CVE-2013-6421

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions sprout gem version 0.7.246

Description The issue allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename or path. This is due to a problem in the unpack zip function in archive unpacker.rb.

Recommendations For sprout gem version 0.7.246, consider disabling the unpack zip function until a patch is available to prevent the execution of arbitrary commands. Restrict the use of shell metacharacters in filenames and paths to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2013-6421

GHSA-229R-PQP6-8W6G

Affected Products

Sprout

PT-2013-6041 · Ruby · Sprout

CVE-2013-6421

Weakness Enumeration

Related Identifiers

Affected Products

References · 8