RubySec

Providing security resources for the Ruby community

CVE-2013-4203 (rgpg): rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution

ADVISORIES

GEM

rgpg

SEVERITY

CVSS v2: 7.5 (High)

PATCHED VERSIONS

  • >= 0.2.3

DESCRIPTION

rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution. This may allow a remote attacker to execute arbitrary commands.