Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-1948
Vulnerability from gsd - Updated: 2013-04-13 00:00Details
md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1948",
"description": "converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.",
"id": "GSD-2013-1948",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2013-1948"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "md2pdf",
"purl": "pkg:gem/md2pdf"
}
}
],
"aliases": [
"CVE-2013-1948",
"OSVDB-92290"
],
"details": "md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands",
"id": "GSD-2013-1948",
"modified": "2013-04-13T00:00:00.000Z",
"published": "2013-04-13T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1948"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 10.0,
"type": "CVSS_V2"
}
],
"summary": "md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html",
"refsource": "MISC",
"url": "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html"
},
{
"name": "92290",
"refsource": "OSVDB",
"url": "http://osvdb.org/92290"
},
{
"name": "md2pdf-cve20131948-command-exec(83416)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83416"
},
{
"name": "59061",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/59061"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1948",
"cvss_v2": 10.0,
"date": "2013-04-13",
"description": "md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands",
"gem": "md2pdf",
"osvdb": 92290,
"title": "md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1948"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "=0.0.1",
"affected_versions": "Version 0.0.1",
"credit": "@_larry0",
"cvss_v2": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2017-08-28",
"description": "In `md2pdf/converter.rb` we see user supplied input being passed to the command line without proper sanitization.",
"fixed_versions": [],
"identifier": "CVE-2013-1948",
"identifiers": [
"CVE-2013-1948"
],
"package_slug": "gem/md2pdf",
"pubdate": "2013-04-25",
"solution": "Nothing yet.",
"title": "Remote command injection",
"urls": [
"http://vapid.dhs.org/advisories/md2pdf-remote-exec.html"
],
"uuid": "ed17a2fc-e3e3-41a7-941b-35ffe832f48e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rob_westgeest:md2pdf:0.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1948"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92290",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/92290"
},
{
"name": "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html",
"refsource": "MISC",
"tags": [],
"url": "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html"
},
{
"name": "59061",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/59061"
},
{
"name": "md2pdf-cve20131948-command-exec(83416)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83416"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-08-29T01:33Z",
"publishedDate": "2013-04-25T23:55Z"
}
}
}