CVE-2013-1875: Shell command injection in command_wrap
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71768%
CWE
Published
10/24/2017
Updated
11/6/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
command_wrap | rubygems | <= 0.6.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two code patterns: 1) In the capture method, user-supplied URL and target parameters are directly interpolated into a CutyCapt command string. 2) In the wkhtmltopdf invocation, user-controlled source and target parameters are similarly interpolated. Both cases use backticks (`) for command execution without proper input sanitization, allowing shell metacharacters like semicolons to break out of the intended command structure. This matches the CWE-94 description of code injection via uncontrolled command generation, and is explicitly confirmed in multiple advisories showing semicolon-based command injection.