RubySec

Providing security resources for the Ruby community

CVE-2013-2512 (ftpd): ftpd Gem for Ruby Shell Character Handling Remote Command Injection

ADVISORIES

GEM

ftpd

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 9.0 (High)

PATCHED VERSIONS

  • >= 0.2.2

DESCRIPTION

ftpd Gem for Ruby contains a flaw that is triggered when handling a specially crafted option or filename that contains a shell character. This may allow a remote attacker to inject arbitrary commands.