Search criteria
6 vulnerabilities found for httparty by john_nunemaker
FKIE_CVE-2024-22049
Vulnerability from fkie_nvd - Published: 2024-01-04 21:15 - Updated: 2025-06-03 15:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| john_nunemaker | httparty | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AB0E617-C4C9-43D8-BC21-30529152AD78",
"versionEndExcluding": "0.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written."
},
{
"lang": "es",
"value": "httparty anterior a 0.21.0 es afectado por una vulnerabilidad de par\u00e1metro web supuestamente inmutable. Un atacante remoto y no autenticado puede proporcionar un par\u00e1metro de filename manipulado durante las cargas de datos de multipart/form-data, lo que podr\u00eda dar lugar a que se escriban nombres de archivos controlados por el atacante."
}
],
"id": "CVE-2024-22049",
"lastModified": "2025-06-03T15:15:56.780",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-01-04T21:15:10.013",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit"
],
"url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Patch"
],
"url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
},
{
"source": "disclosure@vulncheck.com",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
},
{
"source": "disclosure@vulncheck.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
},
{
"source": "disclosure@vulncheck.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-472"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-1801
Vulnerability from fkie_nvd - Published: 2013-04-09 20:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7AF77B3-AFA1-482E-970C-A18CA17AFA04",
"versionEndIncluding": "0.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "320429F1-6058-481A-91FA-229EA72541C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "892C247D-82BC-460B-8B22-DA28E7EE94D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4D4C189F-BB30-489E-83D6-174B2E56933B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4985DEFE-D57D-4240-803D-1925B8A3B28D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "53FCC484-454E-4092-AA45-41713302C874",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "BAB48BB8-683E-4A28-BCDB-200D66DD6135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DADF06F7-9CED-4B50-B3F4-192EA8B09673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "32E81542-5CCB-49C5-AEC1-6FE34F1D189D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7CA86AC3-A044-4D33-9AAA-4D3BCEB3D640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2C36EB25-0BD6-4AFF-80D8-595938CBDE59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0E4E90DE-6D28-4D7F-95AA-A1829F6DAE3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E7EBA09B-9667-4A69-90DC-A0C00A67B97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6FABA0-145D-4F0F-9CB7-07BFFFE331EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F10CE4A6-65F3-4AAD-B186-A13FE4E2717D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5D247CCE-6628-4018-9F65-A09CAFF12B35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5C44A2D3-AE53-4E26-8881-EBD36636F9AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "79959AF0-5A72-4B9A-9B1F-3BA4D1BA41A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "085FA28C-F7A7-46FC-934C-D4A4C35FF257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A8620D5B-0AB1-4BF8-89E5-9E81B8688B2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DE27DD5F-1726-470F-B618-2BE880B175A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E30C2C76-1360-47F0-A136-C024FAD63915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94F901F7-3589-4607-824F-4BACCDF150B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E4016FBD-0BA2-48F5-9F67-4978A82F855F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C9B9244D-B840-408C-8517-223CAD71AD45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A9F61BA4-3916-480B-A5E6-0AF3E07E805B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7C0E9145-FE79-4A5B-82AF-04BB36167977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "84D7769A-41C8-46D0-B502-B1740DCF1E06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0FCA76-DB62-443A-851D-CDAF5F2A877B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6153BC0E-4F33-4708-8DAB-84E330FC5D4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E6C015D8-EEAC-48D0-B4A1-AC98BB44408B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "40850AE1-5320-4B09-A5D4-6F393FA87B3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DBEAB380-095A-49AB-80D0-F1A71C0F5BC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DE64350B-FE1E-43BF-AFA7-136D61243966",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2E29674A-11AB-46B2-A67D-50AE296C91EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C237B5D0-3156-4A30-B224-ACBD60B8FAB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "33762DC0-6E68-44BB-AAC1-33246A383B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0E1F3330-4F2A-4134-8D0E-BEE3D91D7397",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "611780A3-7F88-406F-BBFB-38900773E0DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F05FFFDC-1C20-46EA-BA63-0D002901B0BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E0E5D68F-15A0-485D-98A1-1B2C178B2DCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.7.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9B5F1C43-95C2-414F-833C-A9B611A0CF09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4F5456C9-EBD7-483A-8271-207FCD7B509B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D2D1D4C0-4908-4C6F-96D5-B2B982075121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD7E41-F1B6-4C42-BF19-F3DAF61D9285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:0.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FDE3D1AC-C201-4332-A8C7-EB27C8C3C2F3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156."
},
{
"lang": "es",
"value": "La gema httparty 0.9.0 y anteriores para Ruby no restringe adecuadamente las conversiones de los valores de cadena, lo que podr\u00eda permitir a atacantes remotos llevar a cabo ataques de inyecci\u00f3n de objetos y la ejecuci\u00f3n de c\u00f3digo arbitrario o provocar incluso una denegaci\u00f3n de servicio (consumo de memoria y CPU), aprovechando el soporte Action Pack para los conversores de tipo YALM . Vulnerabilidad similar a CVE-2013-0156."
}
],
"id": "CVE-2013-1801",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-04-09T20:55:01.960",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/58260"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917229"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031"
},
{
"source": "secalert@redhat.com",
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/58260"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917229"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-22049 (GCVE-0-2024-22049)
Vulnerability from cvelistv5 – Published: 2024-01-04 20:19 – Updated: 2025-11-29 01:18
VLAI?
Summary
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
Severity ?
5.3 (Medium)
CWE
- CWE-472 - External Control of Assumed-Immutable Web Parameter
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-28T12:03:40.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-22049",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T23:58:32.687393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:42:07.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://rubygems.org",
"defaultStatus": "unaffected",
"packageName": "httparty",
"versions": [
{
"lessThanOrEqual": "0.20.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*",
"versionEndIncluding": "0.20.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ehttparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\u003c/p\u003e"
}
],
"value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-472",
"description": "CWE-472 External Control of Assumed-Immutable Web Parameter",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-29T01:18:47.199Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"patch"
],
"url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
},
{
"tags": [
"related"
],
"url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "httparty Multipart/Form-Data Request Tampering Vulnerability",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2024-22049",
"datePublished": "2024-01-04T20:19:02.547Z",
"dateReserved": "2024-01-04T18:44:53.108Z",
"dateUpdated": "2025-11-29T01:18:47.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-1801 (GCVE-0-2013-1801)
Vulnerability from cvelistv5 – Published: 2013-04-09 20:00 – Updated: 2024-08-06 15:13
VLAI?
Summary
The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:32.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917229"
},
{
"name": "58260",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58260"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-04-09T20:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917229"
},
{
"name": "58260",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/58260"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1801",
"datePublished": "2013-04-09T20:00:00Z",
"dateReserved": "2013-02-19T00:00:00Z",
"dateUpdated": "2024-08-06T15:13:32.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22049 (GCVE-0-2024-22049)
Vulnerability from nvd – Published: 2024-01-04 20:19 – Updated: 2025-11-29 01:18
VLAI?
Summary
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
Severity ?
5.3 (Medium)
CWE
- CWE-472 - External Control of Assumed-Immutable Web Parameter
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-28T12:03:40.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-22049",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T23:58:32.687393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:42:07.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://rubygems.org",
"defaultStatus": "unaffected",
"packageName": "httparty",
"versions": [
{
"lessThanOrEqual": "0.20.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*",
"versionEndIncluding": "0.20.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ehttparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\u003c/p\u003e"
}
],
"value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-472",
"description": "CWE-472 External Control of Assumed-Immutable Web Parameter",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-29T01:18:47.199Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"patch"
],
"url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
},
{
"tags": [
"related"
],
"url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "httparty Multipart/Form-Data Request Tampering Vulnerability",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2024-22049",
"datePublished": "2024-01-04T20:19:02.547Z",
"dateReserved": "2024-01-04T18:44:53.108Z",
"dateUpdated": "2025-11-29T01:18:47.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-1801 (GCVE-0-2013-1801)
Vulnerability from nvd – Published: 2013-04-09 20:00 – Updated: 2024-08-06 15:13
VLAI?
Summary
The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:32.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917229"
},
{
"name": "58260",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58260"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-04-09T20:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917229"
},
{
"name": "58260",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/58260"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1801",
"datePublished": "2013-04-09T20:00:00Z",
"dateReserved": "2013-02-19T00:00:00Z",
"dateUpdated": "2024-08-06T15:13:32.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}