Search criteria
Related vulnerabilities
GSD-2013-4489
Vulnerability from gsd - Updated: 2013-11-04 00:00Details
GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script. The issue is triggered when input passed via the code search box is not properly sanitized, which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4489",
"description": "The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature.",
"id": "GSD-2013-4489"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "gitlab-grit",
"purl": "pkg:gem/gitlab-grit"
}
}
],
"aliases": [
"CVE-2013-4489",
"OSVDB-99370"
],
"details": "GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script. The issue is triggered when input passed via the code search box is not properly sanitized, which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to execute arbitrary commands.",
"id": "GSD-2013-4489",
"modified": "2013-11-04T00:00:00.000Z",
"published": "2013-11-04T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4489"
}
],
"schema_version": "1.4.0",
"summary": "GitLab Grit Gem for Ruby contains a flaw"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/",
"refsource": "CONFIRM",
"url": "https://www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4489",
"date": "2013-11-04",
"description": "GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script. The issue is triggered when input passed via the code search box is not properly sanitized, which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to execute arbitrary commands.",
"gem": "gitlab-grit",
"osvdb": 99370,
"patched_versions": [
"\u003e= 2.6.1"
],
"title": "GitLab Grit Gem for Ruby contains a flaw",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4489"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.6.1",
"affected_versions": "All versions before 2.6.1",
"credit": "joernchen of http://www.phenoelit.org/",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-05-19",
"description": "See CVE-2013-4489 advisory for GitLab: Remote code execution vulnerability in the code search feature http://seclists.org/oss-sec/2013/q4/224",
"fixed_versions": [
"2.6.1"
],
"identifier": "CVE-2013-4489",
"identifiers": [
"CVE-2013-4489"
],
"package_slug": "gem/gitlab-grit",
"pubdate": "2014-05-17",
"solution": "Upgrade to 2.6.1",
"title": "Repository#grep accepts Unix pipes by default",
"urls": [
"https://github.com/gitlabhq/grit/commit/40f33a4f4f5604c2a531a1d86901fd81ac4402c4"
],
"uuid": "c94d42e5-e23f-405a-90bb-b202cb46bec7"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:6.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:6.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:5.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:6.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:6.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:5.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:6.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:5.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4489"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2014-05-19T16:38Z",
"publishedDate": "2014-05-17T20:55Z"
}
}
}