Release date:
Updated on:
Affected Systems:
Rubygems sprout 0.7.246
Description:
--------------------------------------------------------------------------------
Bugtraq id: 64047
CVE (CAN) ID: CVE-2013-6421
Sprout is a modular tool group that improves the efficiency of creating and managing programming objects.
Sprout 0.7.246 and other unpack_zip () functions have security vulnerabilities. Attackers can inject shell metacharacters and execute shell commands.
<* Source: Larry W. Cashdollar (lwc@vapid.dhs.org)
Link: http://seclists.org/oss-sec/2013/q4/397
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Filename;id).zip
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Rubygems
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://rubygems.org/gems/sprout