Vulnerabilities > CVE-2013-1948 - Remote Command Injection vulnerability in ROB Westgeest Md2Pdf 0.0.1

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
rob-westgeest
ruby-lang
critical

Summary

converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.

Vulnerable Configurations

Part Description Count
Application
Rob_Westgeest
1
Application
Ruby-Lang
1

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/121307/md2pdf-exec.txt
idPACKETSTORM:121307
last seen2016-12-05
published2013-04-15
reporterLarry W. Cashdollar
sourcehttps://packetstormsecurity.com/files/121307/Ruby-Gem-md2pdf-Command-Injection.html
titleRuby Gem md2pdf Command Injection

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 59061 CVE(CAN) ID: CVE-2013-1948 md2pdf是将Markdown文档转换为PDF文档的软件。 md2pdf converter.rb中的用户输入,没有经过过滤即传递给命令行,攻击者可利用此漏洞在受影响应用中执行任意命令。 0 rubygems md2pdf 厂商补丁: rubygems -------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: https://rubygems.org/gems/md2pdf
idSSV:60747
last seen2017-11-19
modified2013-04-17
published2013-04-17
reporterRoot
titleRubyGems 'md2pdf'远程命令注入漏洞(CVE-2013-1948)