RubySec

Providing security resources for the Ruby community

CVE-2014-0156 (awesome_spawn): OS command injection flaw in awesome_spawn

ADVISORIES

GEM

awesome_spawn

SEVERITY

CVSS v2: 6.8

PATCHED VERSIONS

  • ~> 1.2.0
  • >= 1.3.0

DESCRIPTION

Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments, e.g. AwesomeSpawn.run(‘ls’,:params => {‘-l’ => “;touch haxored”}). If untrusted input was included in command arguments, attacker could use this flaw to execute arbitrary command.