md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
Published: April 13, 2013
SECURITY IDENTIFIERS
- CVE: CVE-2013-1948 (NVD)
- GHSA: GHSA-99ch-8mvp-g7m5
- OSVDB: OSVDB-92290
GEM
SEVERITY
CVSS v2.0: 10.0 (High)
PATCHED VERSIONS
None available.
DESCRIPTION
md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands