Moderate severityNVD Advisory· Published Dec 7, 2013· Updated Apr 29, 2026

CVE-2013-4479

Description

lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
supRubyGems	< 0.13.2.1	0.13.2.1
supRubyGems	>= 0.14.0, < 0.14.1.1	0.14.1.1

Affected products

Supmua/Sup5 versions
cpe:2.3:a:supmua:sup:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:supmua:sup:*:*:*:*:*:*:*:*range: <=0.13.2
- cpe:2.3:a:supmua:sup:0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:supmua:sup:0.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:supmua:sup:0.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:supmua:sup:0.14.1:*:*:*:*:*:*:*

Patches

ca0302e0c716

security: prevent remote command injection in content_type

https://github.com/sup-heliotrope/supGaute HopeOct 28, 2013via ghsa

commit

1 file changed · +7 −2

lib/sup/message_chunks.rb+7 −2 modified

@@ -113,6 +113,11 @@ class Attachment
 
     def initialize content_type, filename, encoded_content, sibling_types
       @content_type = content_type.downcase
+      if Shellwords.escape(@content_type) != @content_type
+        warn "content_type #{@content_type} is not safe, changed to application/octet-stream"
+        @content_type = 'application/octet-stream'
+      end
+
       @filename = filename
       @quotable = false # changed to true if we can parse it through the
                         # mime-decode hook, or if it's plain text
@@ -129,7 +134,7 @@ def initialize content_type, filename, encoded_content, sibling_types
       else
         ## please see note in write_to_disk on important usage
         ## of quotes to avoid remote command injection.
-        HookManager.run "mime-decode", :content_type => content_type,
+        HookManager.run "mime-decode", :content_type => @content_type,
                         :filename => lambda { write_to_disk },
                         :charset => encoded_content.charset,
                         :sibling_types => sibling_types
@@ -189,7 +194,7 @@ def view!
     ## note that the path returned from write_to_disk is
     ## Shellwords.escaped and is intended to be used without single
     ## or double quotes. the use of either opens sup up for remote
-    ## code injection in the file name.
+    ## code injection through the file name.
     def write_to_disk
       begin
         file = Tempfile.new(["sup", Shellwords.escape(@filename.gsub("/", "_")) || "sup-attachment"])

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42nvdExploitPatchWEB
secunia.com/advisories/55294nvdVendor AdvisoryWEB
secunia.com/advisories/55400nvdVendor AdvisoryWEB
github.com/advisories/GHSA-hh2x-7mf9-78frghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-4479ghsaADVISORY
lists.fedoraproject.org/pipermail/package-announce/2015-September/165917.htmlnvdWEB
rubyforge.org/pipermail/sup-talk/2013-October/004996.htmlnvdWEB
seclists.org/fulldisclosure/2013/Oct/272nvdWEB
www.debian.org/security/2012/dsa-2805nvdWEB
www.openwall.com/lists/oss-security/2013/10/30/2nvdWEB
www.phenoelit.org/stuff/whatsup.txtghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/sup/CVE-2013-4479.ymlghsaWEB
web.archive.org/web/20140524005344/http://rubyforge.org/pipermail/sup-talk/2013-October/004996.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000