Lucene search

GitHub Advisory DatabaseGHSA-229R-PQP6-8W6G

HistoryOct 24, 2017 - 6:33 p.m.

sprout Arbitrary Code Execution vulnerability

2017-10-2418:33:36

CWE-94

GitHub Advisory Database

github.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

70.2%

JSON

The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path.

CPENameOperatorVersion
sprouteq0.7.246

CPE	Name	Operator	Version
	sprout	eq	0.7.246

References

archives.neohapsis.com/archives/bugtraq/2013-12/0077.html

vapid.dhs.org/advisories/sprout-0.7.246-command-inj.html

www.openwall.com/lists/oss-security/2013/12/03/1

www.openwall.com/lists/oss-security/2013/12/03/6

github.com/advisories/GHSA-229r-pqp6-8w6g

github.com/rubysec/ruby-advisory-db/blob/master/gems/sprout/CVE-2013-6421.yml

nvd.nist.gov/vuln/detail/CVE-2013-6421

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

70.2%

JSON

Related for GHSA-229R-PQP6-8W6G