CVE-2013-1933 – Ruby Gem Karteek Docsplit 0.5.4 Command Injection

https://notcve.org/view.php?id=CVE-2013-1933

The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename. La función extract_from_ocr en lib/docsplit/text_extractor.rb en el Karteek Docsplit (karteek-docsplit) v0.5.4 para Ruby permite a atacantes dependientes de contexto para ejecutar comandos arbitrarios vía metacaracteres de shell en un nombre de archivo PDF. Ruby Gem Karteek Docsplit version 0.5.4 fails to sanitize user-supplied input. If a user is tricked into extracting a file with shell characters in the name, code can be executed remotely. • http://osvdb.org/92117 http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html http://www.openwall.com/lists/oss-security/2013/04/08/15 https://exchange.xforce.ibmcloud.com/vulnerabilities/83277 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •