Related vulnerabilities
gsd-2013-1898
Vulnerability from gsd
Modified
2013-03-26 00:00
Details
Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1898",
"description": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.",
"id": "GSD-2013-1898"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "thumbshooter",
"purl": "pkg:gem/thumbshooter"
}
}
],
"aliases": [
"CVE-2013-1898",
"OSVDB-91839"
],
"details": "Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.",
"id": "GSD-2013-1898",
"modified": "2013-03-26T00:00:00.000Z",
"published": "2013-03-26T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1898"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"refsource": "MISC",
"url": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html"
},
{
"name": "20130326 Ruby gem Thumbshooter 0.1.5 remote command\texecution",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Mar/218"
},
{
"name": "91839",
"refsource": "OSVDB",
"url": "http://osvdb.org/91839"
},
{
"name": "[oss-security] 20130326 Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/3"
},
{
"name": "[oss-security] 20130326 Re: Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/13"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1898",
"cvss_v2": 7.5,
"date": "2013-03-26",
"description": "Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.",
"gem": "thumbshooter",
"osvdb": 91839,
"title": "Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1898"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.1.5",
"affected_versions": "All versions up to 0.1.5",
"credit": "@_larry0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937",
"CWE-94"
],
"date": "2013-04-10",
"description": "Specially crafted URLs can result in remote code execution if the URL contains shell metacharacters. This is due to the fact that the url is passed directly to the shell in the code thumbshooter.rb create method. ",
"fixed_versions": [],
"identifier": "CVE-2013-1898",
"identifiers": [
"CVE-2013-1898"
],
"package_slug": "gem/thumbshooter",
"pubdate": "2013-04-09",
"title": "Remote code execution",
"urls": [
"http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1898"
],
"uuid": "ed97b29b-224e-486d-a433-84a86761aae2"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:digineo:thumbshooter:0.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1898"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130326 Re: Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/13"
},
{
"name": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"refsource": "MISC",
"tags": [],
"url": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html"
},
{
"name": "91839",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/91839"
},
{
"name": "[oss-security] 20130326 Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/3"
},
{
"name": "20130326 Ruby gem Thumbshooter 0.1.5 remote command\texecution",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2013/Mar/218"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-04-10T04:00Z",
"publishedDate": "2013-04-09T20:55Z"
}
}
}