gsd-2013-1898
Vulnerability from gsd
Modified
2013-03-26 00:00
Details
Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1898",
"description": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.",
"id": "GSD-2013-1898"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "thumbshooter",
"purl": "pkg:gem/thumbshooter"
}
}
],
"aliases": [
"CVE-2013-1898",
"OSVDB-91839"
],
"details": "Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.",
"id": "GSD-2013-1898",
"modified": "2013-03-26T00:00:00.000Z",
"published": "2013-03-26T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1898"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"refsource": "MISC",
"url": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html"
},
{
"name": "20130326 Ruby gem Thumbshooter 0.1.5 remote command\texecution",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Mar/218"
},
{
"name": "91839",
"refsource": "OSVDB",
"url": "http://osvdb.org/91839"
},
{
"name": "[oss-security] 20130326 Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/3"
},
{
"name": "[oss-security] 20130326 Re: Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/13"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1898",
"cvss_v2": 7.5,
"date": "2013-03-26",
"description": "Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.",
"gem": "thumbshooter",
"osvdb": 91839,
"title": "Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1898"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.1.5",
"affected_versions": "All versions up to 0.1.5",
"credit": "@_larry0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937",
"CWE-94"
],
"date": "2013-04-10",
"description": "Specially crafted URLs can result in remote code execution if the URL contains shell metacharacters. This is due to the fact that the url is passed directly to the shell in the code thumbshooter.rb create method. ",
"fixed_versions": [],
"identifier": "CVE-2013-1898",
"identifiers": [
"CVE-2013-1898"
],
"package_slug": "gem/thumbshooter",
"pubdate": "2013-04-09",
"title": "Remote code execution",
"urls": [
"http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1898"
],
"uuid": "ed97b29b-224e-486d-a433-84a86761aae2"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:digineo:thumbshooter:0.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1898"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130326 Re: Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/13"
},
{
"name": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"refsource": "MISC",
"tags": [],
"url": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html"
},
{
"name": "91839",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/91839"
},
{
"name": "[oss-security] 20130326 Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/3"
},
{
"name": "20130326 Ruby gem Thumbshooter 0.1.5 remote command\texecution",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2013/Mar/218"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-04-10T04:00Z",
"publishedDate": "2013-04-09T20:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…