RubySec

Providing security resources for the Ruby community

CVE-2016-10193 (espeak-ruby): espeak-ruby Gem for Ruby Arbitrary Command Execution

ADVISORIES

GEM

espeak-ruby

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

  • >= 1.0.3

DESCRIPTION

espeak-ruby passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to the speak, save, bytes and bytes_wav methods in the lib/espeak/speech.rb library.