Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-1911
Vulnerability from gsd - Updated: 2013-04-01 00:00Details
ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-1911",
"description": "lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.",
"id": "GSD-2013-1911"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "ldoce",
"purl": "pkg:gem/ldoce"
}
}
],
"aliases": [
"CVE-2013-1911",
"OSVDB-91870"
],
"details": "ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.",
"id": "GSD-2013-1911",
"modified": "2013-04-01T00:00:00.000Z",
"published": "2013-04-01T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1911"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1911",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html",
"refsource": "MISC",
"url": "http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html"
},
{
"name": "58783",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/58783"
},
{
"name": "20130401 Remote command execution in Ruby Gem ldoce 0.0.2",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0010.html"
},
{
"name": "rubygem-cve20131911-command-exec(83163)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83163"
},
{
"name": "[oss-security] 20130331 Re: Remote command execution in Ruby Gem ldoce 0.0.2",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/31/3"
},
{
"name": "91870",
"refsource": "OSVDB",
"url": "http://osvdb.org/91870"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-1911",
"cvss_v2": 6.8,
"date": "2013-04-01",
"description": "ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.",
"gem": "ldoce",
"osvdb": 91870,
"title": "ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1911"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.0.2",
"affected_versions": "All versions up to 0.0.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2017-08-28",
"description": "The package ldoce passes a URL to commandline for audio output of the pronunciation of a dictonary word. If the URL contains a shell metacharacter, arbitrary code can be executed remotely as the client.",
"fixed_versions": [],
"identifier": "CVE-2013-1911",
"identifiers": [
"CVE-2013-1911"
],
"package_slug": "gem/ldoce",
"pubdate": "2013-04-02",
"solution": "No solution yet.",
"title": "Remote command execution in Ruby Gem ldoce",
"urls": [
"http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html",
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1911"
],
"uuid": "2aa7e431-eb94-41c7-b1f0-7690ff39f463"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mark_burns:ldoce:0.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1911"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130331 Re: Remote command execution in Ruby Gem ldoce 0.0.2",
"refsource": "MLIST",
"tags": [
"Exploit"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/31/3"
},
{
"name": "20130401 Remote command execution in Ruby Gem ldoce 0.0.2",
"refsource": "BUGTRAQ",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0010.html"
},
{
"name": "91870",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/91870"
},
{
"name": "http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html"
},
{
"name": "58783",
"refsource": "BID",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/58783"
},
{
"name": "rubygem-cve20131911-command-exec(83163)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83163"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2017-08-29T01:33Z",
"publishedDate": "2013-04-03T00:55Z"
}
}
}