fkie_cve-2013-1801
Vulnerability from fkie_nvd
Published
2013-04-09 20:55
Modified
2025-04-11 00:51
Severity ?
Summary
The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7AF77B3-AFA1-482E-970C-A18CA17AFA04",
"versionEndIncluding": "0.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "320429F1-6058-481A-91FA-229EA72541C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "892C247D-82BC-460B-8B22-DA28E7EE94D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4D4C189F-BB30-489E-83D6-174B2E56933B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4985DEFE-D57D-4240-803D-1925B8A3B28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "53FCC484-454E-4092-AA45-41713302C874",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "BAB48BB8-683E-4A28-BCDB-200D66DD6135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DADF06F7-9CED-4B50-B3F4-192EA8B09673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "32E81542-5CCB-49C5-AEC1-6FE34F1D189D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7CA86AC3-A044-4D33-9AAA-4D3BCEB3D640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2C36EB25-0BD6-4AFF-80D8-595938CBDE59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0E4E90DE-6D28-4D7F-95AA-A1829F6DAE3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E7EBA09B-9667-4A69-90DC-A0C00A67B97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6FABA0-145D-4F0F-9CB7-07BFFFE331EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F10CE4A6-65F3-4AAD-B186-A13FE4E2717D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5D247CCE-6628-4018-9F65-A09CAFF12B35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5C44A2D3-AE53-4E26-8881-EBD36636F9AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "79959AF0-5A72-4B9A-9B1F-3BA4D1BA41A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "085FA28C-F7A7-46FC-934C-D4A4C35FF257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A8620D5B-0AB1-4BF8-89E5-9E81B8688B2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DE27DD5F-1726-470F-B618-2BE880B175A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E30C2C76-1360-47F0-A136-C024FAD63915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94F901F7-3589-4607-824F-4BACCDF150B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E4016FBD-0BA2-48F5-9F67-4978A82F855F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C9B9244D-B840-408C-8517-223CAD71AD45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A9F61BA4-3916-480B-A5E6-0AF3E07E805B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7C0E9145-FE79-4A5B-82AF-04BB36167977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "84D7769A-41C8-46D0-B502-B1740DCF1E06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0FCA76-DB62-443A-851D-CDAF5F2A877B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6153BC0E-4F33-4708-8DAB-84E330FC5D4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E6C015D8-EEAC-48D0-B4A1-AC98BB44408B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "40850AE1-5320-4B09-A5D4-6F393FA87B3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DBEAB380-095A-49AB-80D0-F1A71C0F5BC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DE64350B-FE1E-43BF-AFA7-136D61243966",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2E29674A-11AB-46B2-A67D-50AE296C91EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C237B5D0-3156-4A30-B224-ACBD60B8FAB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "33762DC0-6E68-44BB-AAC1-33246A383B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0E1F3330-4F2A-4134-8D0E-BEE3D91D7397",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "611780A3-7F88-406F-BBFB-38900773E0DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F05FFFDC-1C20-46EA-BA63-0D002901B0BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E0E5D68F-15A0-485D-98A1-1B2C178B2DCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9B5F1C43-95C2-414F-833C-A9B611A0CF09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4F5456C9-EBD7-483A-8271-207FCD7B509B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D2D1D4C0-4908-4C6F-96D5-B2B982075121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD7E41-F1B6-4C42-BF19-F3DAF61D9285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FDE3D1AC-C201-4332-A8C7-EB27C8C3C2F3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156."
},
{
"lang": "es",
"value": "La gema httparty 0.9.0 y anteriores para Ruby no restringe adecuadamente las conversiones de los valores de cadena, lo que podr\u00eda permitir a atacantes remotos llevar a cabo ataques de inyecci\u00f3n de objetos y la ejecuci\u00f3n de c\u00f3digo arbitrario o provocar incluso una denegaci\u00f3n de servicio (consumo de memoria y CPU), aprovechando el soporte Action Pack para los conversores de tipo YALM . Vulnerabilidad similar a CVE-2013-0156."
}
],
"id": "CVE-2013-1801",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-04-09T20:55:01.960",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/58260"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917229"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031"
},
{
"source": "secalert@redhat.com",
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/58260"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917229"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…