Arbitrary Code Execution Affecting sprout Open this link in a new tab package, versions >= 0.7.246
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-RUBY-SPROUT-20119
-
published
1 Dec 2013
-
disclosed
1 Dec 2013
-
credit
Unknown
Overview
sprout is a modular set of tools that take the tedium and frustration out of creating and managing programming projects by automatically installing and configuring external tools, libraries, commands and build tasks.
Affected versions of this gem are vulnerable to arbitrary code execution due to a flaw in the unpack_zip()
function in archive_unpacker.rb
. The program fails to properly sanitize input passed via the zip_file
, dir
, zip_name
, and output
parameters which may allow a context-dependent attacker to execute arbitrary code.