Vulnerability Details : CVE-2013-1933
The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.
Exploit prediction scoring system (EPSS) score for CVE-2013-1933
Probability of exploitation activity in the next 30 days: 0.31%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 66 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-1933
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2013-1933
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1933
-
http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html
-
http://www.openwall.com/lists/oss-security/2013/04/08/15
oss-security - Re: Remote Command Injection Ruby Gem Karteek Docsplit 0.5.4
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/83277
RubyGems karteek-docsplit command execution CVE-2013-1933 Vulnerability Report
Products affected by CVE-2013-1933
- cpe:2.3:a:documentcloud:karteek-docsplit:0.5.4:*:*:*:*:*:*:*