unp 1.0.12, and other versions before 1.0.14, does not properly escape file names, which might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument. NOTE: this might only be a vulnerability when unp is invoked by a third party product.
The 'unp' package is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.Attackers can exploit this issue to execute arbitrary shell commands in the context of the application using the vulnerable version of 'unp'. This may facilitate the remote compromise of affected computers.This issue affects unp 1.0.12; other versions may also be affected.
The vendor has released an update that addresses this issue. Please see the references for more information.
An attacker can use standard tools to exploit this issue.