RubySec

Providing security resources for the Ruby community

CVE-2013-1875 (command_wrap): command_wrap Gem for Ruby URI Handling Arbitrary Command Injection

ADVISORIES

GEM

command_wrap

SEVERITY

CVSS v2: 7.5 (High)

PATCHED VERSIONS

None.

DESCRIPTION

command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.