RubySec

Providing security resources for the Ruby community

CVE-2013-2090 (cremefraiche): Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution

ADVISORIES

GEM

cremefraiche

SEVERITY

CVSS v2: 9.3

PATCHED VERSIONS

  • >= 0.6.1

DESCRIPTION

Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands