Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-0175
Vulnerability from gsd - Updated: 2013-01-11 00:00Details
The multi_xml Gem for Ruby contains a flaw that is triggered when an error
occurs during the parsing of the 'XML' parameter. With a crafted request
containing arbitrary symbol and yaml types, a remote attacker can execute
arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0175",
"description": "multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.",
"id": "GSD-2013-0175",
"references": [
"https://www.suse.com/security/cve/CVE-2013-0175.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "multi_xml",
"purl": "pkg:gem/multi_xml"
}
}
],
"aliases": [
"CVE-2013-0175",
"OSVDB-89148"
],
"details": "The multi_xml Gem for Ruby contains a flaw that is triggered when an error\noccurs during the parsing of the \u0027XML\u0027 parameter. With a crafted request\ncontaining arbitrary symbol and yaml types, a remote attacker can execute\narbitrary commands.\n",
"id": "GSD-2013-0175",
"modified": "2013-01-11T00:00:00.000Z",
"published": "2013-01-11T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0175"
}
],
"schema_version": "1.4.0",
"summary": "multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0175",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.openwall.com/lists/oss-security/2013/01/11/9",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2013/01/11/9"
},
{
"name": "https://gist.github.com/nate/d7f6d9f4925f413621aa",
"refsource": "MISC",
"url": "https://gist.github.com/nate/d7f6d9f4925f413621aa"
},
{
"name": "https://github.com/sferik/multi_xml/pull/34",
"refsource": "MISC",
"url": "https://github.com/sferik/multi_xml/pull/34"
},
{
"name": "https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0",
"refsource": "MISC",
"url": "https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0"
},
{
"name": "https://news.ycombinator.com/item?id=5040457",
"refsource": "MISC",
"url": "https://news.ycombinator.com/item?id=5040457"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0175",
"date": "2013-01-11",
"description": "The multi_xml Gem for Ruby contains a flaw that is triggered when an error\noccurs during the parsing of the \u0027XML\u0027 parameter. With a crafted request\ncontaining arbitrary symbol and yaml types, a remote attacker can execute\narbitrary commands.\n",
"gem": "multi_xml",
"osvdb": 89148,
"patched_versions": [
"\u003e= 0.5.2"
],
"title": "multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0175"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.5.2",
"affected_versions": "All versions before 0.5.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2018-08-13",
"description": "The multi_xml Gem for Ruby contains a flaw that is triggered when an error occurs during the parsing of XML parameters. With a crafted request containing arbitrary symbol and yaml types, a remote attacker can execute arbitrary commands.",
"fixed_versions": [
"0.5.2"
],
"identifier": "CVE-2013-0175",
"identifiers": [
"CVE-2013-0175"
],
"package_slug": "gem/multi_xml",
"pubdate": "2013-04-25",
"solution": "Upgrade",
"title": "multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution",
"urls": [
"https://github.com/sferik/multi_xml/pull/34"
],
"uuid": "de3784fd-44e5-4210-940b-c7b3f4795009"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:erik_michaels-ober:multi_xml:0.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:erik_michaels-ober:multi_xml:0.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grape_project:grape:0.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0175"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130111 Re: CVE request for multi_xml ruby gem (has same problem as CVE-2013-0156)",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/01/11/9"
},
{
"name": "https://gist.github.com/nate/d7f6d9f4925f413621aa",
"refsource": "CONFIRM",
"tags": [],
"url": "https://gist.github.com/nate/d7f6d9f4925f413621aa"
},
{
"name": "https://github.com/sferik/multi_xml/pull/34",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/sferik/multi_xml/pull/34"
},
{
"name": "https://news.ycombinator.com/item?id=5040457",
"refsource": "MISC",
"tags": [],
"url": "https://news.ycombinator.com/item?id=5040457"
},
{
"name": "https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0",
"refsource": "MISC",
"tags": [],
"url": "https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:27Z",
"publishedDate": "2013-04-25T23:55Z"
}
}
}