Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-1802
Vulnerability from gsd - Updated: 2013-01-08 00:00Details
extlib Gem for Ruby contains a flaw that is triggered when a type casting
error occurs during the parsing of parameters. This may allow a
context-dependent attacker to potentially execute arbitrary code.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1802",
"description": "The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.",
"id": "GSD-2013-1802",
"references": [
"https://www.suse.com/security/cve/CVE-2013-1802.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "extlib",
"purl": "pkg:gem/extlib"
}
}
],
"aliases": [
"CVE-2013-1802",
"OSVDB-90740"
],
"details": "extlib Gem for Ruby contains a flaw that is triggered when a type casting\nerror occurs during the parsing of parameters. This may allow a\ncontext-dependent attacker to potentially execute arbitrary code.\n",
"id": "GSD-2013-1802",
"modified": "2013-01-08T00:00:00.000Z",
"published": "2013-01-08T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1802"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.3,
"type": "CVSS_V2"
}
],
"summary": "extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1802",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately",
"refsource": "MISC",
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"name": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00002.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00002.html"
},
{
"name": "https://github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5...4540e7102b803624cc2eade4bb8aaaa934fc31c5",
"refsource": "MISC",
"url": "https://github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5...4540e7102b803624cc2eade4bb8aaaa934fc31c5"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=917233",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917233"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1802",
"cvss_v2": 9.3,
"date": "2013-01-08",
"description": "extlib Gem for Ruby contains a flaw that is triggered when a type casting\nerror occurs during the parsing of parameters. This may allow a\ncontext-dependent attacker to potentially execute arbitrary code.\n",
"gem": "extlib",
"osvdb": 90740,
"patched_versions": [
"\u003e= 0.9.16"
],
"title": "extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1802"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.9.16",
"affected_versions": "All versions before 0.9.16",
"credit": "[dkubb](https://github.com/dkubb)",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2013-04-10",
"description": "Similar to CVE-2013-0156 (Rails issue)",
"fixed_versions": [
"0.9.16"
],
"identifier": "CVE-2013-1802",
"identifiers": [
"CVE-2013-1802"
],
"package_slug": "gem/extlib",
"pubdate": "2013-04-09",
"solution": "Upgrade.",
"title": "Parameter parsing vulnerabilities",
"urls": [
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1802",
"https://github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5...4540e7102b803624cc2eade4bb8aaaa934fc31c5"
],
"uuid": "ff19328a-60b0-4a07-8c0d-9d3380248fb2"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "0.9.15",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dan_kubb:extlib:0.9.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1802"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "SUSE-SU-2013:0612",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00002.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=917233",
"refsource": "MISC",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917233"
},
{
"name": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately",
"refsource": "MISC",
"tags": [],
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"name": "https://github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5...4540e7102b803624cc2eade4bb8aaaa934fc31c5",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5...4540e7102b803624cc2eade4bb8aaaa934fc31c5"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-04-10T04:00Z",
"publishedDate": "2013-04-09T20:55Z"
}
}
}