Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-4413
Vulnerability from gsd - Updated: 2013-10-08 00:00Details
Wicked Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed via the 'the_step' parameter upon submission to the render_redirect.rb script. This may allow a remote attacker to gain access to arbitrary files.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4413",
"description": "Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step.",
"id": "GSD-2013-4413"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "wicked",
"purl": "pkg:gem/wicked"
}
}
],
"aliases": [
"CVE-2013-4413",
"OSVDB-98270"
],
"details": "Wicked Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed via the \u0027the_step\u0027 parameter upon submission to the render_redirect.rb script. This may allow a remote attacker to gain access to arbitrary files.",
"id": "GSD-2013-4413",
"modified": "2013-10-08T00:00:00.000Z",
"published": "2013-10-08T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4413"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "Wicked Gem for Ruby contains a flaw"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4413",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "55151",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55151"
},
{
"name": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53",
"refsource": "CONFIRM",
"url": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53"
},
{
"name": "wicked-gem-cve20134413-dir-trav(87783)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87783"
},
{
"name": "62891",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/62891"
},
{
"name": "[oss-security] 20131009 Re: Vulnerability Reported in my Ruby Gem",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/43"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4413",
"cvss_v2": 5.0,
"date": "2013-10-08",
"description": "Wicked Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed via the \u0027the_step\u0027 parameter upon submission to the render_redirect.rb script. This may allow a remote attacker to gain access to arbitrary files.",
"gem": "wicked",
"osvdb": 98270,
"patched_versions": [
"\u003e= 1.0.1"
],
"title": "Wicked Gem for Ruby contains a flaw",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4413"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.0.1",
"affected_versions": "All versions before 1.0.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2017-08-28",
"description": "A vulnerability has been reported allowing an attacker to read arbitrary files on a system. Specially crafted url strings can be used to access unintended files via an escaped slash character `%2e` ",
"fixed_versions": [
"1.0.1"
],
"identifier": "CVE-2013-4413",
"identifiers": [
"CVE-2013-4413"
],
"package_slug": "gem/wicked",
"pubdate": "2014-03-11",
"solution": "Upgrade to latest",
"title": "Non properly sanitized input allows attackers to gain access to arbitrary files.",
"urls": [
"http://seclists.org/oss-sec/2013/q4/43",
"https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53"
],
"uuid": "5309a588-9739-4ee5-a84d-d0dd33188609"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.4.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.3.4:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.1.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.1.4:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.6.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.5.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.2.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.1.6:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.0.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.3.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.3.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.1.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.1.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.1.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.6.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.3.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.3.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.1.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:schneems:wicked:0.0.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4413"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "62891",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/62891"
},
{
"name": "[oss-security] 20131009 Re: Vulnerability Reported in my Ruby Gem",
"refsource": "MLIST",
"tags": [
"Patch"
],
"url": "http://seclists.org/oss-sec/2013/q4/43"
},
{
"name": "55151",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55151"
},
{
"name": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53"
},
{
"name": "wicked-gem-cve20134413-dir-trav(87783)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87783"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-08-29T01:33Z",
"publishedDate": "2014-03-11T19:37Z"
}
}
}