CVE-2013-6421: Command injection vulnerability

December 12, 2013 (updated December 19, 2013)

The unpack_zip function in archive_unpacker.rb in the sprout gem for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename or path.

References

cxsecurity.com/issue/WLB-2013120023
github.com/lukebayes/project-sprouts/blob/e8e6c60438cd1a4d598645760b00ea005eb1cc2c/lib/sprout/archive_unpacker.rb

Code Behaviors & Features

Detect and mitigate CVE-2013-6421 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →