RubySec

Providing security resources for the Ruby community

CVE-2013-1911 (ldoce): ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution

ADVISORIES

GEM

ldoce

SEVERITY

CVSS v2: 6.8

PATCHED VERSIONS

None.

DESCRIPTION

ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.