CVE-2013-1948: md2pdf allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename
10
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.74922%
CWE
-
Published
10/24/2017
Updated
11/10/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:C/I:C/A:C
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
md2pdf | rubygems | <= 0.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly states that converter.rb
in md2pdf
allows command injection via filenames. This indicates the file contains a function that passes user-controlled filenames directly into shell commands without proper sanitization. The most probable location is the main conversion function (likely named 'convert') that processes filenames. Ruby's common command execution patterns (system/backticks
) would make this vulnerable when interpolating untrusted input. While the exact code isn't available, the CVE description and file path provide strong contextual evidence.