Arbitrary Code Execution Affecting sprout package, versions >= 0.7.246

Attack Complexity

Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-RUBY-SPROUT-20119
published

1 Dec 2013
disclosed

1 Dec 2013
credit

Unknown

Report a new vulnerability Found a mistake?

Introduced: 1 Dec 2013

CVE-2013-6421 Open this link in a new tab CWE-94 Open this link in a new tab

Overview

sprout is a modular set of tools that take the tedium and frustration out of creating and managing programming projects by automatically installing and configuring external tools, libraries, commands and build tasks. Affected versions of this gem are vulnerable to arbitrary code execution due to a flaw in the unpack_zip() function in archive_unpacker.rb. The program fails to properly sanitize input passed via the zip_file, dir, zip_name, and output parameters which may allow a context-dependent attacker to execute arbitrary code.

References

http://rubysec.com/advisories/CVE-2013-6421

Arbitrary Code Execution Affecting sprout package, versions >= 0.7.246

Attack Complexity

snyk-id

published

disclosed

credit

Introduced: 1 Dec 2013

Overview

References