Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-4203
Vulnerability from gsd - Updated: 2013-08-02 00:00Details
rgpg Gem for Ruby contains a flaw in the GpgHelper module
(lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly
sanitize user-supplied input before being used in the system() function for
execution. This may allow a remote attacker to execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4203",
"description": "The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.",
"id": "GSD-2013-4203",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2013-4203"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rgpg",
"purl": "pkg:gem/rgpg"
}
}
],
"aliases": [
"CVE-2013-4203",
"OSVDB-95948"
],
"details": "rgpg Gem for Ruby contains a flaw in the GpgHelper module\n(lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly\nsanitize user-supplied input before being used in the system() function for\nexecution. This may allow a remote attacker to execute arbitrary commands.\n",
"id": "GSD-2013-4203",
"modified": "2013-08-02T00:00:00.000Z",
"published": "2013-08-02T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4203"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4203",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130802 Re: Rgpg Ruby Gem Remote Command Injection (CVE Request)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/08/03/2"
},
{
"name": "https://github.com/rcook/rgpg/commit/b819b13d198495f3ecd2762a0dbe27bb6fae3505",
"refsource": "CONFIRM",
"url": "https://github.com/rcook/rgpg/commit/b819b13d198495f3ecd2762a0dbe27bb6fae3505"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4203",
"cvss_v2": 7.5,
"date": "2013-08-02",
"description": "rgpg Gem for Ruby contains a flaw in the GpgHelper module\n(lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly\nsanitize user-supplied input before being used in the system() function for\nexecution. This may allow a remote attacker to execute arbitrary commands.\n",
"gem": "rgpg",
"osvdb": 95948,
"patched_versions": [
"\u003e= 0.2.3"
],
"title": "rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4203"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.2.3",
"affected_versions": "All versions before 0.2.3",
"credit": "Larry W. Cashdollar (@_larry0)",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937",
"CWE-94"
],
"date": "2013-10-15",
"description": "Some code does not sanitize user supplied input before passing it to the `System()` function for execution. If this API is used in the context of a RoR application remote commands can be injected into the shell if the user supplies shell meta characters like `;` and `\u0026`.",
"fixed_versions": [
"0.2.3"
],
"identifier": "CVE-2013-4203",
"identifiers": [
"CVE-2013-4203"
],
"package_slug": "gem/rgpg",
"pubdate": "2013-10-11",
"solution": "Update to 0.2.3",
"title": "Remote Command Injection",
"urls": [
"http://vapid.dhs.org/advisories/rgpg-api-rubygem-cmd-inj.html"
],
"uuid": "19a38738-834f-46ce-b045-401ebf4d68c5"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:richard_cook:rgpg:*:-:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "0.2.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:richard_cook:rgpg:0.2.1:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:richard_cook:rgpg:0.2.0:-:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4203"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rcook/rgpg/commit/b819b13d198495f3ecd2762a0dbe27bb6fae3505",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/rcook/rgpg/commit/b819b13d198495f3ecd2762a0dbe27bb6fae3505"
},
{
"name": "[oss-security] 20130802 Re: Rgpg Ruby Gem Remote Command Injection (CVE Request)",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/08/03/2"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-10-15T15:55Z",
"publishedDate": "2013-10-11T22:55Z"
}
}
}