Related vulnerabilities
gsd-2013-4457
Vulnerability from gsd
Modified
2013-10-22 00:00
Details
Cocaine Gem for Ruby contains a flaw that is due to the method of variable interpolation used by the program. With a specially crafted object, a context-dependent attacker can execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4457",
"description": "The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation.",
"id": "GSD-2013-4457",
"references": [
"https://www.suse.com/security/cve/CVE-2013-4457.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "cocaine",
"purl": "pkg:gem/cocaine"
}
}
],
"aliases": [
"CVE-2013-4457",
"OSVDB-98835"
],
"details": "Cocaine Gem for Ruby contains a flaw that is due to the method of variable interpolation used by the program. With a specially crafted object, a context-dependent attacker can execute arbitrary commands.",
"id": "GSD-2013-4457",
"modified": "2013-10-22T00:00:00.000Z",
"published": "2013-10-22T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "Cocaine Gem for Ruby contains a flaw"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4457",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/thoughtbot/cocaine/blob/master/NEWS.md",
"refsource": "CONFIRM",
"url": "https://github.com/thoughtbot/cocaine/blob/master/NEWS.md"
},
{
"name": "98835",
"refsource": "OSVDB",
"url": "http://osvdb.org/98835"
},
{
"name": "[oss-security] 20131022 Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/22/10"
},
{
"name": "55365",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55365"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4457",
"cvss_v2": 6.8,
"date": "2013-10-22",
"description": "Cocaine Gem for Ruby contains a flaw that is due to the method of variable interpolation used by the program. With a specially crafted object, a context-dependent attacker can execute arbitrary commands.",
"gem": "cocaine",
"osvdb": 98835,
"patched_versions": [
"\u003e= 0.5.3"
],
"title": "Cocaine Gem for Ruby contains a flaw",
"unaffected_versions": [
"\u003c 0.4.0"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4457"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=0.4.0 \u003c=0.5.2",
"affected_versions": "All versions starting from 0.4.0 up to 0.5.2",
"credit": "Holger Just",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2013-11-05",
"description": "Due to the method of variable interpolation in Cocaine to, an attacker may be able to inject hostile commands into a command line via a crafted hash object which are not properly escaped. The impact is lessened on Ruby * because hashed are not ordered by default, and so an attacker must rely on luck for the attack to work. An attack of this sort cannot take place if there is only one value being interpolated into the command line. Users of the Paperclip gem are encouraged to upgrade to the latest version of Cocaine. Users of the branch of Paperclip will not need to upgrade as the version of Cocaine it uses is not vulnerable to this attack.",
"fixed_versions": [
"0.5.3"
],
"identifier": "CVE-2013-4457",
"identifiers": [
"CVE-2013-4457"
],
"not_impacted": "0.3.x",
"package_slug": "gem/cocaine",
"pubdate": "2013-11-02",
"solution": "Upgrade to 0.5.3",
"title": "Recursive Interpolation Vulnerability",
"urls": [
"http://seclists.org/oss-sec/2013/q4/157"
],
"uuid": "a2e11cbc-61b8-4b91-b72b-fe5df1bc492b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.5.1:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.5.2:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.4.1:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.5.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.4.0:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.4.2:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4457"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "98835",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/98835"
},
{
"name": "55365",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55365"
},
{
"name": "[oss-security] 20131022 Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457)",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/10/22/10"
},
{
"name": "https://github.com/thoughtbot/cocaine/blob/master/NEWS.md",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/thoughtbot/cocaine/blob/master/NEWS.md"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-11-05T15:21Z",
"publishedDate": "2013-11-02T18:55Z"
}
}
}