Arbitrary shell execution when extracting or listing files contained in a malicious rpm.

Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

ruby-arr-pm 操作系统命令注入漏洞

ruby-arr-pm是Jordan Sissel个人开发者的一个用 Ruby 编写的 RPM 读取/写入库。旨在为 fpm 提供一种读写 RPM 的方法。 ruby-arr-pm 0.0.11版本及之前版本存在安全漏洞。攻击者利用该漏洞执行Shell脚本。

N/A

N/A