RubySec

Providing security resources for the Ruby community

CVE-2013-6421 (sprout): sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter Arbitrary Code Execution

ADVISORIES

GEM

sprout

SEVERITY

CVSS v2: 7.5

UNAFFECTED VERSIONS

  • < 0.7.246

PATCHED VERSIONS

None.

DESCRIPTION

sprout Gem for Ruby contains a flaw in the unpack_zip() function in archive_unpacker.rb. The issue is due to the program failing to properly sanitize input passed via the ‘zip_file’, ‘dir’, ‘zip_name’, and ‘output’ parameters. This may allow a context-dependent attacker to execute arbitrary code.