CVE-2015-7541: Arbitrary Command Injection

January 8, 2016 (updated January 18, 2016)

The contents of the image_path, colors, and depth variables generated from possibly user-supplied input are passed directly to the shell. If a user supplies a value that includes shell metacharacters such as ‘;’, an attacker may be able to execute shell commands on the remote system as the user id of the Ruby process.

References

seclists.org/oss-sec/2016/q1/17
github.com/quadule/colorscore/commit/570b5e854cecddd44d2047c44126aed951b61718

Detect and mitigate CVE-2015-7541 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →