CVE-2015-7541 (colorscore): colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection

ADVISORIES

CVE-2015-7541 (NVD)
GHSA-73qw-ww62-m54x
OSVDB-132516
Vendor Advisory

GEM

colorscore

SEVERITY

CVSS v3.x: 10.0 (Critical)

PATCHED VERSIONS

>= 0.0.5

DESCRIPTION

The contents of the image_path, colors, and depth variables generated from possibly user-supplied input are passed directly to the shell via convert ....

If a user supplies a value that includes shell metacharacters such as ‘;’, an attacker may be able to execute shell commands on the remote system as the user id of the Ruby process.

To resolve this issue, the aforementioned variables (especially image_path) must be sanitized for shell metacharacters.

RubySec

CVE-2015-7541 (colorscore): colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

Recent Advisories