GHSA-229r-pqp6-8w6g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-229r-pqp6-8w6g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-229r-pqp6-8w6g/GHSA-229r-pqp6-8w6g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-229r-pqp6-8w6g
- Aliases
-
- CVE-2013-6421
- Published
- 2017-10-24T18:33:36Z
- Modified
- 2023-11-08T03:57:26.490474Z
- Summary
- sprout Arbitrary Code Execution vulnerability
- Details
-
The
unpack_zipfunction inarchive_unpacker.rbin the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path. - Database specific
{ "nvd_published_at": "2013-12-12T18:55:16Z", "cwe_ids": [ "CWE-94" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:50:49Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-6421
- https://github.com/lukebayes/project-sprouts
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sprout/CVE-2013-6421.yml
- http://archives.neohapsis.com/archives/bugtraq/2013-12/0077.html
- http://vapid.dhs.org/advisories/sprout-0.7.246-command-inj.html
- http://www.openwall.com/lists/oss-security/2013/12/03/1
- http://www.openwall.com/lists/oss-security/2013/12/03/6