Cocaine rubygem Recursive Interpolation Vulnerability

2013.10.23
Credit: Jon Yurek
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2013-4457
CWE: CWE-78


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Recursive Interpolation Vulnerability in Cocaine rubygem There is a vulnerability interpolating variabled recursively in Cocaine. This vulnerability has been assigned the CVE identifier CVE-2013-4457 Versions Affected: 0.4.x, 0.5.1, 0.5.2 Not affected: 0.3.x Fixed Versions: 0.5.3 Impact ------ Due to the method of variable interpolation in Cocaine 0.4.0 to 0.5.2, an attacker may be able to inject hostile commands into a command line via a crafted hash object which are not properly escaped. The impact is lessened on Ruby version 1.8.* because hashed are not ordered by default, and so an attacker must rely on luck for the attack to work. An attack of this sort cannot take place if there is only one value being interpolated into the command line. Users of the Paperclip gem are encouraged to upgrade to the latest version of Cocaine. Users of the 2.7 branch of Paperclip will not need to upgrade as the version of Cocaine it uses is not vulnerable to this attack. Releases -------- Version 0.5.3 fixes the problem involved and is available at rubygems.org Credits ------- Thanks to Holger Just for reporting this! -- Jon Yurek http://thoughtbot.com

References:

http://seclists.org/oss-sec/2013/q4/157


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top