Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-2090
Vulnerability from gsd - Updated: 2013-05-14 00:00Details
Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-2090",
"description": "The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem before 0.6.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the file name of an email attachment. NOTE: some of these details are obtained from third party information.",
"id": "GSD-2013-2090",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2013-2090"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "cremefraiche",
"purl": "pkg:gem/cremefraiche"
}
}
],
"aliases": [
"CVE-2013-2090",
"OSVDB-93395"
],
"details": "Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands",
"id": "GSD-2013-2090",
"modified": "2013-05-14T00:00:00.000Z",
"published": "2013-05-14T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2090"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.3,
"type": "CVSS_V2"
}
],
"summary": "Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2090",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem before 0.6.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the file name of an email attachment. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "cremefraiche-ruby-cve20132090-command-exec(84271)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84271"
},
{
"name": "http://www.vapid.dhs.org/advisories/cremefraiche-cmd-inj.html",
"refsource": "MISC",
"url": "http://www.vapid.dhs.org/advisories/cremefraiche-cmd-inj.html"
},
{
"name": "53391",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/53391"
},
{
"name": "http://packetstormsecurity.com/files/121635/Ruby-Gem-Creme-Fraiche-0.6-Command-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/121635/Ruby-Gem-Creme-Fraiche-0.6-Command-Injection.html"
},
{
"name": "93395",
"refsource": "OSVDB",
"url": "http://osvdb.org/93395"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-2090",
"cvss_v2": 9.3,
"date": "2013-05-14",
"description": "Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands",
"gem": "cremefraiche",
"osvdb": 93395,
"patched_versions": [
"\u003e= 0.6.1"
],
"title": "Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2090"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.6.1",
"affected_versions": "All versions before 0.6.1",
"credit": "Larry W. Cashdollar (@_larry0)",
"cvss_v2": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2017-08-28",
"description": "A malicious email attachment with a file name consisting of shell metacharacters could inject commands into the shell. If the attacker is allowed to specify a filename (via a web gui) commands could be injected that way as well.",
"fixed_versions": [
"0.6.1"
],
"identifier": "CVE-2013-2090",
"identifiers": [
"CVE-2013-2090"
],
"package_slug": "gem/cremefraiche",
"pubdate": "2014-05-27",
"solution": "Update to 0.6.1",
"title": "Remote command Injection in Creme Fraiche 0.6 Ruby Gem",
"urls": [
"http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html"
],
"uuid": "ab33057a-d6f8-415e-bcca-16eefa7a5277"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.5.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.5.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.4.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.4.5.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.4.5.4:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.4.5.6:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "0.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.5.3:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.4.5.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:uplawski:creme_fraiche:0.4.5.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2090"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem before 0.6.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the file name of an email attachment. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "93395",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/93395"
},
{
"name": "53391",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/53391"
},
{
"name": "http://packetstormsecurity.com/files/121635/Ruby-Gem-Creme-Fraiche-0.6-Command-Injection.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/121635/Ruby-Gem-Creme-Fraiche-0.6-Command-Injection.html"
},
{
"name": "http://www.vapid.dhs.org/advisories/cremefraiche-cmd-inj.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://www.vapid.dhs.org/advisories/cremefraiche-cmd-inj.html"
},
{
"name": "cremefraiche-ruby-cve20132090-command-exec(84271)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84271"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-08-29T01:33Z",
"publishedDate": "2014-05-27T14:55Z"
}
}
}