add in ./ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb
puts"Code execution with : #{%x(id)}"
require the gem in a other projet may run the shell code with the user privilege.
$ brakeman
Loading scanner...
Code execution with : uid=1000(xxxx) gid=1000(xxxx) groups=1000(xxxx)
Please supply the path to a Rails application (looking in /home/xxxx/).
Please release a new release asap.
The text was updated successfully, but these errors were encountered:
Hi,
This gem has world writable files in the release 1.0.0.
how to reproduce the issue
exploitation poc
add in ./ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb
require the gem in a other projet may run the shell code with the user privilege.
Please release a new release asap.
The text was updated successfully, but these errors were encountered: