Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-5671
Vulnerability from gsd - Updated: 2013-09-03 00:00Details
fog-dragonfly Gem for Ruby contains a flaw that is due to the program
failing to properly sanitize input passed via the imagemagickutils.rb script.
This may allow a remote attacker to execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-5671",
"description": "lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem 0.8.2 for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors.",
"id": "GSD-2013-5671"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "dragonfly",
"purl": "pkg:gem/dragonfly"
}
}
],
"aliases": [
"CVE-2013-5671",
"OSVDB-96798"
],
"details": "fog-dragonfly Gem for Ruby contains a flaw that is due to the program\nfailing to properly sanitize input passed via the imagemagickutils.rb script.\nThis may allow a remote attacker to execute arbitrary commands.\n",
"id": "GSD-2013-5671",
"modified": "2013-09-03T00:00:00.000Z",
"published": "2013-09-03T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "fog-dragonfly Gem for Ruby imagemagickutils.rb Remote Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5671",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem 0.8.2 for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20130903 Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Sep/18"
},
{
"name": "[oss-security] 20130901 Re: Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q3/528"
},
{
"name": "http://www.vapid.dhs.org/advisories/fog-dragonfly-0.8.2-cmd-inj.html",
"refsource": "MISC",
"url": "http://www.vapid.dhs.org/advisories/fog-dragonfly-0.8.2-cmd-inj.html"
},
{
"name": "[oss-security] 20130901 Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q3/526"
},
{
"name": "96798",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/96798"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-5671",
"cvss_v2": 7.5,
"date": "2013-09-03",
"description": "fog-dragonfly Gem for Ruby contains a flaw that is due to the program\nfailing to properly sanitize input passed via the imagemagickutils.rb script.\nThis may allow a remote attacker to execute arbitrary commands.\n\nThis gem has been renamed. Please use \"dragonfly\" from now on.\n",
"gem": "fog-dragonfly",
"osvdb": 96798,
"patched_versions": [
"\u003e= 0.8.4"
],
"title": "fog-dragonfly Gem for Ruby imagemagickutils.rb Remote Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5671"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "=0.8.2",
"affected_versions": "Version 0.8.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-05-13",
"description": "lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors.",
"fixed_versions": [
"0.8.4"
],
"identifier": "CVE-2013-5671",
"identifiers": [
"CVE-2013-5671"
],
"not_impacted": "All versions before 0.8.2, all versions after 0.8.2",
"package_slug": "gem/dragonfly",
"pubdate": "2014-05-12",
"solution": "Upgrade to version 0.8.4 or above.",
"title": "Command Injection",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2013-5671",
"http://seclists.org/oss-sec/2013/q3/528",
"http://seclists.org/oss-sec/2013/q3/526",
"http://www.osvdb.org/96798",
"http://www.vapid.dhs.org/advisories/fog-dragonfly-0.8.2-cmd-inj.html",
"http://seclists.org/fulldisclosure/2013/Sep/18"
],
"uuid": "cbd237a3-7b9e-42bf-aa04-fde55f05acc5"
},
{
"affected_range": "\u003c=0.8.2",
"affected_versions": "All versions up to 0.8.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-05-13",
"description": "Unescaped user supplied input is passed to the command line for shell execution in `lib/dragonfly/imagemagickutils.rb`.",
"fixed_versions": [],
"identifier": "CVE-2013-5671",
"identifiers": [
"CVE-2013-5671"
],
"package_slug": "gem/fog-dragonfly",
"pubdate": "2014-05-12",
"solution": "This is a vulnerability in the fog-dragonfly gem, not a vulnerability in Dragonfly.\r\nPossibly related fixes in Dragonfly (cf links).",
"title": "Remote Command Injection",
"urls": [
"https://github.com/markevans/dragonfly/commit/47f95bd6b8af11fb0a44d6ab1c6f7d00d880cb68",
"https://github.com/markevans/dragonfly/commit/ff141bb1d921fff506084b62a562f7a83d5e01fe#lib/dragonfly/image_magick/utils.rb"
],
"uuid": "2843db75-d4ea-4e71-8f43-1bb8eda857ae"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mark_evans:fog-dragonfly:0.8.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5671"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem 0.8.2 for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130901 Re: Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem",
"refsource": "MLIST",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2013/q3/528"
},
{
"name": "[oss-security] 20130901 Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem",
"refsource": "MLIST",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2013/q3/526"
},
{
"name": "96798",
"refsource": "OSVDB",
"tags": [],
"url": "http://www.osvdb.org/96798"
},
{
"name": "http://www.vapid.dhs.org/advisories/fog-dragonfly-0.8.2-cmd-inj.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://www.vapid.dhs.org/advisories/fog-dragonfly-0.8.2-cmd-inj.html"
},
{
"name": "20130903 Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem",
"refsource": "FULLDISC",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2013/Sep/18"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2014-05-13T12:38Z",
"publishedDate": "2014-05-12T14:55Z"
}
}
}