CVE-2013-1911: Remote command execution in Ruby Gem ldoce

April 2, 2013 (updated August 28, 2017)

The package ldoce passes a URL to commandline for audio output of the pronunciation of a dictonary word. If the URL contains a shell metacharacter, arbitrary code can be executed remotely as the client.

References

otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1911

Detect and mitigate CVE-2013-1911 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →