Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-7086
Vulnerability from gsd - Updated: 2013-12-12 00:00Details
Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
when handling a specially crafted growlnotify message. This may allow a
context-dependent attacker to execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-7086",
"description": "The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.",
"id": "GSD-2013-7086"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "webbynode",
"purl": "pkg:gem/webbynode"
}
}
],
"aliases": [
"CVE-2013-7086",
"OSVDB-100920"
],
"details": "Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered\nwhen handling a specially crafted growlnotify message. This may allow a\ncontext-dependent attacker to execute arbitrary commands.\n",
"id": "GSD-2013-7086",
"modified": "2013-12-12T00:00:00.000Z",
"published": "2013-12-12T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7086"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7086",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.vapid.dhs.org/advisories/webbynode-command-inj.html",
"refsource": "MISC",
"url": "http://www.vapid.dhs.org/advisories/webbynode-command-inj.html"
},
{
"name": "[oss-security] 20131212 Command injection in Ruby Gem Webbynode 1.0.5.3",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/493"
},
{
"name": "https://github.com/webbynode/webbynode/pull/85",
"refsource": "MISC",
"url": "https://github.com/webbynode/webbynode/pull/85"
},
{
"name": "http://packetstormsecurity.com/files/124421",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/124421"
},
{
"name": "webbynode-cve20137086-command-exec(89705)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89705"
},
{
"name": "20131214 Command injection in Ruby Gem Webbynode 1.0.5.3",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0079.html"
},
{
"name": "100920",
"refsource": "OSVDB",
"url": "http://osvdb.org/100920"
},
{
"name": "64289",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64289"
},
{
"name": "[oss-security] 20131212 Re: Command injection in Ruby Gem Webbynode 1.0.5.3",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/497"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-7086",
"cvss_v2": 7.5,
"date": "2013-12-12",
"description": "Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered\nwhen handling a specially crafted growlnotify message. This may allow a\ncontext-dependent attacker to execute arbitrary commands.\n",
"gem": "webbynode",
"osvdb": 100920,
"title": "Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7086"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.0.5.3",
"affected_versions": "All versions up to 1.0.5.3",
"credit": "Larry W. Cashdollar, @_larry0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937",
"CWE-94"
],
"date": "2017-08-28",
"description": "Code located in: ./lib/webbynode/notify.rb does not fully sanitize user supplied input before passing it to the shell via %x. Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters.",
"fixed_versions": [],
"identifier": "CVE-2013-7086",
"identifiers": [
"CVE-2013-7086"
],
"package_slug": "gem/webbynode",
"pubdate": "2013-12-18",
"solution": "Apply Pull Request #85. See https://github.com/webbynode/webbynode/pull/85",
"title": "Growlnotify Message Handling Arbitrary Command Execution",
"urls": [
"http://www.vapid.dhs.org/advisories/webbynode-command-inj.html",
"https://github.com/webbynode/webbynode/pull/85"
],
"uuid": "49e39c11-9d22-429e-9961-68af83d73121"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:webbynode:webbynode:*:-:-:*:-:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.5.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:webbynode:webbynode:1.0.5.2:-:-:*:-:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:webbynode:webbynode:1.0.5.1:-:-:*:-:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:webbynode:webbynode:1.0.5:-:-:*:-:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7086"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20131212 Command injection in Ruby Gem Webbynode 1.0.5.3",
"refsource": "MLIST",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2013/q4/493"
},
{
"name": "https://github.com/webbynode/webbynode/pull/85",
"refsource": "MISC",
"tags": [],
"url": "https://github.com/webbynode/webbynode/pull/85"
},
{
"name": "100920",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/100920"
},
{
"name": "20131214 Command injection in Ruby Gem Webbynode 1.0.5.3",
"refsource": "BUGTRAQ",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-12/0079.html"
},
{
"name": "http://packetstormsecurity.com/files/124421",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/124421"
},
{
"name": "http://www.vapid.dhs.org/advisories/webbynode-command-inj.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://www.vapid.dhs.org/advisories/webbynode-command-inj.html"
},
{
"name": "64289",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/64289"
},
{
"name": "[oss-security] 20131212 Re: Command injection in Ruby Gem Webbynode 1.0.5.3",
"refsource": "MLIST",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2013/q4/497"
},
{
"name": "webbynode-cve20137086-command-exec(89705)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89705"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-08-29T01:34Z",
"publishedDate": "2013-12-19T04:24Z"
}
}
}