Описание
colorscore Command Injection vulnerability
The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-7541
- https://github.com/quadule/colorscore/commit/570b5e854cecddd44d2047c44126aed951b61718
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/colorscore/CVE-2015-7541.yml
- http://rubysec.com/advisories/CVE-2015-7541
- http://seclists.org/oss-sec/2016/q1/17
- http://www.openwall.com/lists/oss-security/2016/01/05/2
Пакеты
Наименование
colorscore
rubygems
Затронутые версииВерсия исправления
< 0.0.5
0.0.5
Связанные уязвимости
CVSS3: 10
nvd
около 10 лет назад
The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable.
fstec
около 10 лет назад
Уязвимость расширения интерпретатора Ruby Colorscore, позволяющая нарушителю выполнить произвольный код