Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-0285
Vulnerability from gsd - Updated: 2013-01-10 00:00Details
The Ruby Gem nori has a parameter parsing error that may allow an attacker
to execute arbitrary code. This vulnerability has to do with type casting
during parsing, and is related to CVE-2013-0156.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0285",
"description": "The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.",
"id": "GSD-2013-0285"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nori",
"purl": "pkg:gem/nori"
}
}
],
"aliases": [
"CVE-2013-0285",
"OSVDB-90196"
],
"details": "The Ruby Gem nori has a parameter parsing error that may allow an attacker\nto execute arbitrary code. This vulnerability has to do with type casting\nduring parsing, and is related to CVE-2013-0156.\n",
"id": "GSD-2013-0285",
"modified": "2013-01-10T00:00:00.000Z",
"published": "2013-01-10T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0285"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "Ruby Gem nori Parameter Parsing Remote Code Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0285",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130213 Some rubygems related CVEs",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q1/304"
},
{
"name": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately",
"refsource": "MISC",
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0285",
"cvss_v2": 7.5,
"date": "2013-01-10",
"description": "The Ruby Gem nori has a parameter parsing error that may allow an attacker\nto execute arbitrary code. This vulnerability has to do with type casting\nduring parsing, and is related to CVE-2013-0156.\n",
"gem": "nori",
"osvdb": 90196,
"patched_versions": [
"~\u003e 1.0.3",
"~\u003e 1.1.4",
"\u003e= 2.0.2"
],
"title": "Ruby Gem nori Parameter Parsing Remote Code Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0285"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.0.3 || \u003e=1.1.0 \u003c1.1.4 || \u003e=1.2.0 \u003c2.0.2",
"affected_versions": "All versions before 1.0.3, all versions starting from 1.1.0 before 1.1.4, all versions starting from 1.2.0 before 2.0.2",
"credit": "[rubiii](https://github.com/rubiii)",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2013-04-16",
"description": "Nori has a parameter parsing error that may allow an attacker to execute arbitrary code. This vulnerability has to do with type casting during parsing, and is related to CVE-2013-0156.",
"fixed_versions": [
"1.0.3",
"1.1.4",
"2.0.2"
],
"identifier": "CVE-2013-0285",
"identifiers": [
"CVE-2013-0285"
],
"package_slug": "gem/nori",
"pubdate": "2013-04-09",
"solution": "Upgrade",
"title": "Parameter parsing remote code execution",
"urls": [
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0285",
"https://github.com/savonrb/nori/commit/818f5263b1d597b603d46cbe1702cd2717259e32"
],
"uuid": "0624807f-df75-43bc-b90c-e4c74ce4100a"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:1.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:1.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:1.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:1.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:1.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:1.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:nori_gem_project:nori_gem:1.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0285"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately",
"refsource": "MISC",
"tags": [],
"url": "https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"
},
{
"name": "[oss-security] 20130213 Some rubygems related CVEs",
"refsource": "MLIST",
"tags": [],
"url": "http://seclists.org/oss-sec/2013/q1/304"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-04-16T04:00Z",
"publishedDate": "2013-04-09T20:55Z"
}
}
}