CVE-2013-4478 — sup-mail - remote command injection

Description

Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment.

How to fix CVE-2013-4478

To remediate CVE-2013-4478, upgrade the affected package to a fixed version below.

Debian/sup-mail—upgrade to 0.12.1+git20120407.aaa852f-1+deb7u1 or later
Debian/sup-mail—upgrade to 0.11-2+nmu1+deb6u1 or later
RubyGems/sup—upgrade to 0.13.2.1 or later

Is CVE-2013-4478 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.12.1+git20120407.aaa852f-1+deb7u1
from 0, < 0.11-2+nmu1+deb6u1
from 0, < 0.13.2.1

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4478
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4478
PATCHgithub.com/sup-heliotrope/sup
WEBrubyforge.org/pipermail/sup-talk/2013-August/004993.html
WEB