Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00ZnZnLXB3djctdjU0Z84AAZ5y

Karteek Docsplit vulnerable to OS Command Injection

The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.

Permalink: https://github.com/advisories/GHSA-4fvg-pwv7-v54g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ZnZnLXB3djctdjU0Z84AAZ5y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 9 months ago

Identifiers: GHSA-4fvg-pwv7-v54g, CVE-2013-1933
References:

https://nvd.nist.gov/vuln/detail/CVE-2013-1933
https://exchange.xforce.ibmcloud.com/vulnerabilities/83277
http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html
http://www.openwall.com/lists/oss-security/2013/04/08/15
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/karteek-docsplit/CVE-2013-1933.yml
https://github.com/advisories/GHSA-4fvg-pwv7-v54g

Blast Radius: 1.0

Affected Packages

rubygems:karteek-docsplit

Affected Version Ranges: <= 0.5.4
No known fixed version