gsd-2013-4457
Vulnerability from gsd
Modified
2013-10-22 00:00
Details
Cocaine Gem for Ruby contains a flaw that is due to the method of variable interpolation used by the program. With a specially crafted object, a context-dependent attacker can execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4457",
"description": "The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation.",
"id": "GSD-2013-4457",
"references": [
"https://www.suse.com/security/cve/CVE-2013-4457.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "cocaine",
"purl": "pkg:gem/cocaine"
}
}
],
"aliases": [
"CVE-2013-4457",
"OSVDB-98835"
],
"details": "Cocaine Gem for Ruby contains a flaw that is due to the method of variable interpolation used by the program. With a specially crafted object, a context-dependent attacker can execute arbitrary commands.",
"id": "GSD-2013-4457",
"modified": "2013-10-22T00:00:00.000Z",
"published": "2013-10-22T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "Cocaine Gem for Ruby contains a flaw"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4457",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/thoughtbot/cocaine/blob/master/NEWS.md",
"refsource": "CONFIRM",
"url": "https://github.com/thoughtbot/cocaine/blob/master/NEWS.md"
},
{
"name": "98835",
"refsource": "OSVDB",
"url": "http://osvdb.org/98835"
},
{
"name": "[oss-security] 20131022 Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/10/22/10"
},
{
"name": "55365",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55365"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4457",
"cvss_v2": 6.8,
"date": "2013-10-22",
"description": "Cocaine Gem for Ruby contains a flaw that is due to the method of variable interpolation used by the program. With a specially crafted object, a context-dependent attacker can execute arbitrary commands.",
"gem": "cocaine",
"osvdb": 98835,
"patched_versions": [
"\u003e= 0.5.3"
],
"title": "Cocaine Gem for Ruby contains a flaw",
"unaffected_versions": [
"\u003c 0.4.0"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4457"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=0.4.0 \u003c=0.5.2",
"affected_versions": "All versions starting from 0.4.0 up to 0.5.2",
"credit": "Holger Just",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2013-11-05",
"description": "Due to the method of variable interpolation in Cocaine to, an attacker may be able to inject hostile commands into a command line via a crafted hash object which are not properly escaped. The impact is lessened on Ruby * because hashed are not ordered by default, and so an attacker must rely on luck for the attack to work. An attack of this sort cannot take place if there is only one value being interpolated into the command line. Users of the Paperclip gem are encouraged to upgrade to the latest version of Cocaine. Users of the branch of Paperclip will not need to upgrade as the version of Cocaine it uses is not vulnerable to this attack.",
"fixed_versions": [
"0.5.3"
],
"identifier": "CVE-2013-4457",
"identifiers": [
"CVE-2013-4457"
],
"not_impacted": "0.3.x",
"package_slug": "gem/cocaine",
"pubdate": "2013-11-02",
"solution": "Upgrade to 0.5.3",
"title": "Recursive Interpolation Vulnerability",
"urls": [
"http://seclists.org/oss-sec/2013/q4/157"
],
"uuid": "a2e11cbc-61b8-4b91-b72b-fe5df1bc492b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.5.1:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.5.2:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.4.1:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.5.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.4.0:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:thoughtbot:cocaine:0.4.2:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4457"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "98835",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/98835"
},
{
"name": "55365",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55365"
},
{
"name": "[oss-security] 20131022 Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457)",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/10/22/10"
},
{
"name": "https://github.com/thoughtbot/cocaine/blob/master/NEWS.md",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/thoughtbot/cocaine/blob/master/NEWS.md"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-11-05T15:21Z",
"publishedDate": "2013-11-02T18:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…