GSD-2013-1898
Vulnerability from gsd - Updated: 2013-03-26 00:00Details
Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1898",
"description": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.",
"id": "GSD-2013-1898"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "thumbshooter",
"purl": "pkg:gem/thumbshooter"
}
}
],
"aliases": [
"CVE-2013-1898",
"OSVDB-91839"
],
"details": "Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.",
"id": "GSD-2013-1898",
"modified": "2013-03-26T00:00:00.000Z",
"published": "2013-03-26T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1898"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"refsource": "MISC",
"url": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html"
},
{
"name": "20130326 Ruby gem Thumbshooter 0.1.5 remote command\texecution",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Mar/218"
},
{
"name": "91839",
"refsource": "OSVDB",
"url": "http://osvdb.org/91839"
},
{
"name": "[oss-security] 20130326 Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/3"
},
{
"name": "[oss-security] 20130326 Re: Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/13"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1898",
"cvss_v2": 7.5,
"date": "2013-03-26",
"description": "Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.",
"gem": "thumbshooter",
"osvdb": 91839,
"title": "Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1898"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.1.5",
"affected_versions": "All versions up to 0.1.5",
"credit": "@_larry0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937",
"CWE-94"
],
"date": "2013-04-10",
"description": "Specially crafted URLs can result in remote code execution if the URL contains shell metacharacters. This is due to the fact that the url is passed directly to the shell in the code thumbshooter.rb create method. ",
"fixed_versions": [],
"identifier": "CVE-2013-1898",
"identifiers": [
"CVE-2013-1898"
],
"package_slug": "gem/thumbshooter",
"pubdate": "2013-04-09",
"title": "Remote code execution",
"urls": [
"http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1898"
],
"uuid": "ed97b29b-224e-486d-a433-84a86761aae2"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:digineo:thumbshooter:0.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1898"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130326 Re: Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/13"
},
{
"name": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html",
"refsource": "MISC",
"tags": [],
"url": "http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html"
},
{
"name": "91839",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/91839"
},
{
"name": "[oss-security] 20130326 Ruby gem Thumbshooter 0.1.5 remote code execution",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2013/03/26/3"
},
{
"name": "20130326 Ruby gem Thumbshooter 0.1.5 remote command\texecution",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2013/Mar/218"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-04-10T04:00Z",
"publishedDate": "2013-04-09T20:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…