CVE-2013-6421
sprout 0.7.246 - OS Command Injection via Archive Filename or Path
Title source: llmDescription
The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path.
References (4)
Core 4
Core References
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-12/0077.html
Exploit mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/12/03/1
Exploit mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/12/03/6
Exploit x_refsource_misc
http://vapid.dhs.org/advisories/sprout-0.7.246-command-inj.html
Scores
EPSS
0.0123
EPSS Percentile
79.4%
Details
CWE
CWE-94
Status
published
Products (2)
projectsprouts/sprout
0.7.246
rubygems/sprout
RubyGems
Published
Dec 12, 2013
Tracked Since
Feb 18, 2026