Critical severity10.0NVD Advisory· Published Jan 8, 2016· Updated May 6, 2026
CVE-2015-7541
CVE-2015-7541
Description
The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
colorscoreRubyGems | < 0.0.5 | 0.0.5 |
Affected products
1- cpe:2.3:a:colorscore_project:colorscore:*:*:*:*:*:ruby:*:*Range: <=0.0.4
Patches
11 file changed · +3 −1
lib/colorscore/histogram.rb+3 −1 modified@@ -1,7 +1,9 @@ +require "shellwords" + module Colorscore class Histogram def initialize(image_path, colors=16, depth=8) - output = `convert #{image_path} -resize 400x400 -format %c -dither None -quantize YIQ -colors #{colors} -depth #{depth} histogram:info:-` + output = `convert #{image_path.shellescape} -resize 400x400 -format %c -dither None -quantize YIQ -colors #{colors.to_i} -depth #{depth.to_i} histogram:info:-` @lines = output.lines.sort.reverse.map(&:strip).reject(&:empty?) end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/quadule/colorscore/commit/570b5e854cecddd44d2047c44126aed951b61718nvdPatchWEB
- github.com/advisories/GHSA-73qw-ww62-m54xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-7541ghsaADVISORY
- rubysec.com/advisories/CVE-2015-7541ghsaWEB
- seclists.org/oss-sec/2016/q1/17ghsaWEB
- www.openwall.com/lists/oss-security/2016/01/05/2nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/colorscore/CVE-2015-7541.ymlghsaWEB
- rubysec.com/advisories/CVE-2015-7541/nvd
News mentions
0No linked articles in our index yet.