The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.Referenceshttp://www.vapidlabs.com/advisory.php?v=63http://www.vapid.dhs.org/advisories/karo-2.3.8.html
