Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-0262
Vulnerability from gsd - Updated: 2013-02-07 00:00Details
rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0262",
"description": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\"",
"id": "GSD-2013-0262",
"references": [
"https://www.suse.com/security/cve/CVE-2013-0262.html",
"https://access.redhat.com/errata/RHSA-2013:0638"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack",
"purl": "pkg:gem/rack"
}
}
],
"aliases": [
"CVE-2013-0262",
"OSVDB-89938"
],
"details": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\"",
"id": "GSD-2013-0262",
"modified": "2013-02-07T00:00:00.000Z",
"published": "2013-02-07T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0262"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-0262 rubygem-rack: Path sanitization information disclosure"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0262",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html"
},
{
"name": "http://rack.github.com/",
"refsource": "MISC",
"url": "http://rack.github.com/"
},
{
"name": "http://secunia.com/advisories/52033",
"refsource": "MISC",
"url": "http://secunia.com/advisories/52033"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=909071",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=909071"
},
{
"name": "https://gist.github.com/rentzsch/4736940",
"refsource": "MISC",
"url": "https://gist.github.com/rentzsch/4736940"
},
{
"name": "https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56",
"refsource": "MISC",
"url": "https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56"
},
{
"name": "https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30",
"refsource": "MISC",
"url": "https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30"
},
{
"name": "https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ"
},
{
"name": "https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=909072",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=909072"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0262",
"cvss_v2": 4.3,
"date": "2013-02-07",
"description": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\"",
"gem": "rack",
"osvdb": 89938,
"patched_versions": [
"~\u003e 1.4.5",
"\u003e= 1.5.2"
],
"title": "CVE-2013-0262 rubygem-rack: Path sanitization information disclosure",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0262"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.4.0 \u003c1.4.5 || \u003e=1.5.0 \u003c1.5.2",
"affected_versions": "All versions starting from 1.4.0 before 1.4.5, all versions starting from 1.5.0 before 1.5.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2018-08-13",
"description": "Affected versions allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\"\t",
"fixed_versions": [
"1.4.5",
"1.5.2"
],
"identifier": "CVE-2013-0262",
"identifiers": [
"CVE-2013-0262"
],
"package_slug": "gem/rack",
"pubdate": "2013-02-08",
"solution": "Upgrade",
"title": "Symlink path traversal in Rack::File",
"urls": [
"http://rack.github.com/"
],
"uuid": "a377e5d0-7fb3-4415-97ba-d61ff644c9fd"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0262"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=909072",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=909072"
},
{
"name": "52033",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52033"
},
{
"name": "http://rack.github.com/",
"refsource": "CONFIRM",
"tags": [],
"url": "http://rack.github.com/"
},
{
"name": "https://gist.github.com/rentzsch/4736940",
"refsource": "MISC",
"tags": [],
"url": "https://gist.github.com/rentzsch/4736940"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=909071",
"refsource": "MISC",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=909071"
},
{
"name": "https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56",
"refsource": "MISC",
"tags": [],
"url": "https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56"
},
{
"name": "https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30"
},
{
"name": "openSUSE-SU-2013:0462",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html"
},
{
"name": "https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ",
"refsource": "MISC",
"tags": [],
"url": "https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ"
},
{
"name": "https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ",
"refsource": "MISC",
"tags": [],
"url": "https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T04:40Z",
"publishedDate": "2013-02-08T20:55Z"
}
}
}