CVE-2013-5647: Sounder Contains Arbitrary Command Execution Vulnerability
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.8178%
CWE
Published
10/24/2017
Updated
11/6/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
sounder | rubygems | < 1.0.2 | 1.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability occurs in the play method where user-supplied filename
(@file) is directly embedded into a system()
call using string interpolation. This allows attackers to inject arbitrary commands via shell metacharacters. The PoC demonstrates command execution by including ';' in the filename
. The system
call uses a single string argument which invokes shell interpretation, making it vulnerable to injection. The code structure matches classic command injection patterns (CWE-94).