Vulnerability Details : CVE-2013-1800
The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2013-1800
- cpe:2.3:a:john_nunemaker:crack:*:*:*:*:*:*:*:*
- cpe:2.3:a:john_nunemaker:crack:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:john_nunemaker:crack:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:john_nunemaker:crack:0.1.8:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-1800
6.52%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-1800
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2013-1800
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1800
-
https://bugzilla.novell.com/show_bug.cgi?id=804721
Bug 804721 – VUL-0: CVE-2013-1800: rubygem-crack: XML parsing issues
-
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00003.html
[security-announce] SUSE-SU-2013:0615-1: important: Security update for
-
https://github.com/jnunemaker/crack/commit/e3da1212a1f84a898ee3601336d1dbbf118fb5f6
Remove support for symbol and yaml. · jnunemaker/crack@e3da121 · GitHubExploit;Patch
-
https://bugzilla.redhat.com/show_bug.cgi?id=917236
917236 – (CVE-2013-1800) CVE-2013-1800 rubygem-crack: YAML parameter parsing vulnerability
-
https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately
January 14, 2013: Security vulnerabilities: httparty, extlib, crack, nori: Update these gems immediately – Engine Yard Developer Center
Jump to