7.5

CVE-2013-1802

Exploit
The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dan KubbExtlib Version <= 0.9.15
Dan KubbExtlib Version0.9.2
Dan KubbExtlib Version0.9.3
Dan KubbExtlib Version0.9.4
Dan KubbExtlib Version0.9.5
Dan KubbExtlib Version0.9.6
Dan KubbExtlib Version0.9.7
Dan KubbExtlib Version0.9.8
Dan KubbExtlib Version0.9.9
Dan KubbExtlib Version0.9.10
Dan KubbExtlib Version0.9.11
Dan KubbExtlib Version0.9.12
Dan KubbExtlib Version0.9.13
Dan KubbExtlib Version0.9.14
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.42% 0.873
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00002.html
https://bugzilla.redhat.com/show_bug.cgi?id=917233
https://github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5...4540e7102b803624cc2eade4bb8aaaa934fc31c5
Patch
Exploit