Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-1800
Vulnerability from gsd - Updated: 2013-01-09 00:00Details
The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1800",
"description": "The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.",
"id": "GSD-2013-1800",
"references": [
"https://www.suse.com/security/cve/CVE-2013-1800.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "crack",
"purl": "pkg:gem/crack"
}
}
],
"aliases": [
"CVE-2013-1800",
"OSVDB-90742"
],
"details": "The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.",
"id": "GSD-2013-1800",
"modified": "2013-01-09T00:00:00.000Z",
"published": "2013-01-09T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1800"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-1800 rubygem-crack: YAML parameter parsing vulnerability"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1800",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00003.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00003.html"
},
{
"name": "http://secunia.com/advisories/52897",
"refsource": "MISC",
"url": "http://secunia.com/advisories/52897"
},
{
"name": "https://bugzilla.novell.com/show_bug.cgi?id=804721",
"refsource": "MISC",
"url": "https://bugzilla.novell.com/show_bug.cgi?id=804721"
},
{
"name": "https://github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6",
"refsource": "MISC",
"url": "https://github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6"
},
{
"name": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately",
"refsource": "MISC",
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=917236",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917236"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1800",
"cvss_v2": 7.5,
"date": "2013-01-09",
"description": "The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.",
"gem": "crack",
"osvdb": 90742,
"patched_versions": [
"\u003e= 0.3.2"
],
"title": "CVE-2013-1800 rubygem-crack: YAML parameter parsing vulnerability",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1800"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.3.2",
"affected_versions": "All versions before 0.3.2",
"credit": "[jnunemaker](https://github.com/jnunemaker)",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2013-04-10",
"description": "Similar to CVE-2013-0156 (Rails issue)",
"fixed_versions": [
"0.3.2"
],
"identifier": "CVE-2013-1800",
"identifiers": [
"CVE-2013-1800"
],
"not_impacted": "Upgrade",
"package_slug": "gem/crack",
"pubdate": "2013-04-09",
"solution": "Upgrade",
"title": "Parameter parsing vulnerabilities",
"urls": [
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1800",
"https://github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6"
],
"uuid": "19464a98-a536-4b9b-8145-2c7057821999"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:john_nunemaker:crack:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "0.3.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:john_nunemaker:crack:0.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:john_nunemaker:crack:0.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:john_nunemaker:crack:0.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1800"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately",
"refsource": "MISC",
"tags": [],
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=917236",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=917236"
},
{
"name": "SUSE-SU-2013:0615",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00003.html"
},
{
"name": "52897",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52897"
},
{
"name": "https://bugzilla.novell.com/show_bug.cgi?id=804721",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugzilla.novell.com/show_bug.cgi?id=804721"
},
{
"name": "https://github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6",
"refsource": "MISC",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-04-10T04:00Z",
"publishedDate": "2013-04-09T20:55Z"
}
}
}