Title:jspec-steventux 3.3.2.1 /tmp vulnerabilityThe install function creates unsafely a temp file in /tmp to store the download of rhino.zip, a malicious local user could replace this file with one of their own installing a modified jar file. If a remote user can control #{uri} they can inject commands directly into the shell as no santization of the variable is done. jspec-steventux-3.3.2.1/src/installables.rb: 145 def install 146 say "... fetching #{uri}"; `curl #{uri} -o /tmp/rhino.zip 2> /dev/nu ll` 147 say "... decompressing"; `unzip /tmp/rhino.zip -d /tmp` 148 say "... installing to #{path}"; `mv /tmp/rhino1_7R2/js.jar #{path}` 149 end