Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-1875
Vulnerability from gsd - Updated: 2013-03-18 00:00Details
command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1875",
"description": "command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.",
"id": "GSD-2013-1875"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "command_wrap",
"purl": "pkg:gem/command_wrap"
}
}
],
"aliases": [
"CVE-2013-1875",
"OSVDB-91450"
],
"details": "command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.",
"id": "GSD-2013-1875",
"modified": "2013-03-18T00:00:00.000Z",
"published": "2013-03-18T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1875"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "command_wrap Gem for Ruby URI Handling Arbitrary Command Injection"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1875",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20130318 Remote command execution in Ruby Gem Command Wrap",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Mar/175"
},
{
"name": "http://packetstormsecurity.com/files/120847/Ruby-Gem-Command-Wrap-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120847/Ruby-Gem-Command-Wrap-Command-Execution.html"
},
{
"name": "[oss-security] 20130319 Fwd: CVE requests",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/19/9"
},
{
"name": "91450",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/91450"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1875",
"cvss_v2": 7.5,
"date": "2013-03-18",
"description": "command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.",
"gem": "command_wrap",
"osvdb": 91450,
"title": "command_wrap Gem for Ruby URI Handling Arbitrary Command Injection",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1875"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.6.2",
"affected_versions": "All versions up to 0.6.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937",
"CWE-94"
],
"date": "2013-03-21",
"description": "Commands executed if the remote URL or filename contains the shell character \u0027;\u0027. The commands will be executed as the client user if tricked into using the malicious URL or filename.",
"fixed_versions": [],
"identifier": "CVE-2013-1875",
"identifiers": [
"CVE-2013-1875"
],
"package_slug": "gem/command_wrap",
"pubdate": "2013-03-20",
"solution": "No solution yet.",
"title": "Remote command execution in Ruby Gem Command Wrap",
"urls": [
"http://direct.osvdb.org/show/osvdb/91450",
"http://vapid.dhs.org/advisories/command-wrap-remoteexec.html"
],
"uuid": "0901318c-90a8-4557-83d0-45b8e0d95aa0"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubygems:command_wrap:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1875"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "91450",
"refsource": "OSVDB",
"tags": [],
"url": "http://www.osvdb.org/91450"
},
{
"name": "20130318 Remote command execution in Ruby Gem Command Wrap",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2013/Mar/175"
},
{
"name": "[oss-security] 20130319 Fwd: CVE requests",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/03/19/9"
},
{
"name": "http://packetstormsecurity.com/files/120847/Ruby-Gem-Command-Wrap-Command-Execution.html",
"refsource": "MISC",
"tags": [],
"url": "http://packetstormsecurity.com/files/120847/Ruby-Gem-Command-Wrap-Command-Execution.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-03-21T04:00Z",
"publishedDate": "2013-03-20T22:55Z"
}
}
}