CVE-2015-7541
CRITICALcolorscore < 0.0.5 - OS Command Injection via Histogram Image Path
Title source: manualDescription
The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable.
References (3)
Core 3
Core References
Various Sources x_refsource_misc
http://rubysec.com/advisories/CVE-2015-7541/
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/01/05/2
Patch x_refsource_confirm
https://github.com/quadule/colorscore/commit/570b5e854cecddd44d2047c44126aed951b61718
Scores
CVSS v3
10.0
EPSS
0.0130
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (2)
colorscore_project/colorscore
< 0.0.4
rubygems/colorscore
0 - 0.0.5RubyGems
Published
Jan 08, 2016
Tracked Since
Feb 18, 2026