RubySec

Providing security resources for the Ruby community

CVE-2013-1948 (md2pdf): md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution

ADVISORIES

GEM

md2pdf

SEVERITY

CVSS v2: 10.0

PATCHED VERSIONS

None.

DESCRIPTION

md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands