Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-1933
Vulnerability from gsd - Updated: 2013-04-08 00:00Details
Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1933",
"description": "The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.",
"id": "GSD-2013-1933",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2013-1933"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "karteek-docsplit",
"purl": "pkg:gem/karteek-docsplit"
}
}
],
"aliases": [
"CVE-2013-1933",
"OSVDB-92117"
],
"details": "Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands",
"id": "GSD-2013-1933",
"modified": "2013-04-08T00:00:00.000Z",
"published": "2013-04-08T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1933"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.3,
"type": "CVSS_V2"
}
],
"summary": "Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1933",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92117",
"refsource": "OSVDB",
"url": "http://osvdb.org/92117"
},
{
"name": "http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html",
"refsource": "MISC",
"url": "http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html"
},
{
"name": "karteekdocsplit-cve20131933-command-exec(83277)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83277"
},
{
"name": "[oss-security] 20130408 Re: Remote Command Injection Ruby Gem Karteek Docsplit 0.5.4",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/04/08/15"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1933",
"cvss_v2": 9.3,
"date": "2013-04-08",
"description": "Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands",
"gem": "karteek-docsplit",
"osvdb": 92117,
"title": "Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1933"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.5.4",
"affected_versions": "All versions up to 0.5.4",
"credit": "@_larry0",
"cvss_v2": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2017-08-28",
"description": "User supplied input isn\u0027t sanitized against shell metacharacters and is fed directly to the shell. If the user is tricked into extracting a file with shell characters, arbitrary code can be executed remotely.",
"fixed_versions": [],
"identifier": "CVE-2013-1933",
"identifiers": [
"CVE-2013-1933"
],
"package_slug": "gem/karteek-docsplit",
"pubdate": "2013-04-25",
"solution": "Nothing yet",
"title": "Remote Command Injection",
"urls": [
"http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html"
],
"uuid": "f960f3e5-e9c2-4a81-aee5-5ccc64eee0dc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:documentcloud:karteek-docsplit:0.5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1933"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html",
"refsource": "MISC",
"tags": [],
"url": "http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html"
},
{
"name": "[oss-security] 20130408 Re: Remote Command Injection Ruby Gem Karteek Docsplit 0.5.4",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/04/08/15"
},
{
"name": "92117",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/92117"
},
{
"name": "karteekdocsplit-cve20131933-command-exec(83277)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83277"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2017-08-29T01:33Z",
"publishedDate": "2013-04-25T23:55Z"
}
}
}