Skip to content

Creme Fraiche contains OS Command Injection

Critical severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Nov 6, 2023

Package

bundler cremefraiche (RubyGems)

Affected versions

< 0.6.1

Patched versions

0.6.1

Description

The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem before 0.6.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the file name of an email attachment. NOTE: some of these details are obtained from third party information.

References

Published by the National Vulnerability Database May 27, 2014
Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Nov 6, 2023

Severity

Critical

EPSS score

1.396%
(87th percentile)

Weaknesses

CVE ID

CVE-2013-2090

GHSA ID

GHSA-m6f7-46hw-grcj

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.