Sha256: 15139331a4315d1862af2da22b9ca46b64587c58f3903bd655349ef10d49b7e1

Contents?: true

Size: 731 Bytes

Versions: 5

Compression:

Stored size: 731 Bytes

Contents

---
gem: colorscore
cve: 2015-7541
osvdb: 132516
url: http://seclists.org/oss-sec/2016/q1/17
title: colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection
date: 2016-01-04
description: |
  The contents of the `image_path`, `colors`, and `depth` variables generated
  from possibly user-supplied input are passed directly to the shell via
  `convert ...`.

  If a user supplies a value that includes shell metacharacters such as ';', an
  attacker may be able to execute shell commands on the remote system as the
  user id of the Ruby process.

  To resolve this issue, the aforementioned variables (especially `image_path`)
  must be sanitized for shell metacharacters.

patched_versions: 
  - '>= 0.0.5'

Version data entries

5 entries across 5 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml