ADVISORIES
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
CVSS v2.0: 6.8 (Medium)
PATCHED VERSIONS
- ~> 1.2.0
- >= 1.3.0
DESCRIPTION
Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments, e.g. AwesomeSpawn.run(‘ls’,:params => {‘-l’ => ";touch haxored"}). If untrusted input was included in command arguments, attacker could use this flaw to execute arbitrary command.