Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczcXctd3c2Mi1tNTR4
colorscore Command Injection vulnerability
The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczcXctd3c2Mi1tNTR4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 6 years ago
Updated: 8 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-73qw-ww62-m54x, CVE-2015-7541
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-7541
- https://github.com/quadule/colorscore/commit/570b5e854cecddd44d2047c44126aed951b61718
- http://rubysec.com/advisories/CVE-2015-7541/
- http://www.openwall.com/lists/oss-security/2016/01/05/2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/colorscore/CVE-2015-7541.yml
- http://seclists.org/oss-sec/2016/q1/17
- https://github.com/advisories/GHSA-73qw-ww62-m54x
Blast Radius: 12.0
Affected Packages
rubygems:colorscore
Dependent packages: 4Dependent repositories: 16
Downloads: 140,255 total
Affected Version Ranges: < 0.0.5
Fixed in: 0.0.5
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4
All unaffected versions: 0.0.5