CVE-2013-2090 : The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem befor

The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem before 0.6.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the file name of an email attachment. NOTE: some of these details are obtained from third party information.

Published 2014-05-27 14:55:06

Updated 2017-08-29 01:33:14

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2013-2090

Uplawski » Creme Fraiche » For Ruby
Versions up to, including, (<=) 0.6
cpe:2.3:a:uplawski:creme_fraiche:*:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.5.2 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.5.2:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.5.1 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.5.1:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.4.5 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.4.5:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.4.5.5 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.4.5.5:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.4.5.4 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.4.5.4:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.5 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.5:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.4.5.6 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.4.5.6:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.5.3 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.5.3:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.4.5.2 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.4.5.2:*:*:*:*:ruby:*:*
Matching versions
Uplawski » Creme Fraiche » Version: 0.4.5.1 For Ruby
cpe:2.3:a:uplawski:creme_fraiche:0.4.5.1:*:*:*:*:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-2090

EPSS FAQ

0.52%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-2090

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2013-2090

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-2090

https://exchange.xforce.ibmcloud.com/vulnerabilities/84271

Creme Fraiche gem for Ruby command execution CVE-2013-2090 Vulnerability Report
http://packetstormsecurity.com/files/121635/Ruby-Gem-Creme-Fraiche-0.6-Command-Injection.html

Ruby Gem Creme Fraiche 0.6 Command Injection ≈ Packet Storm
Exploit
http://www.vapid.dhs.org/advisories/cremefraiche-cmd-inj.html

Exploit

Jump to

Vulnerability Details : CVE-2013-2090

Products affected by CVE-2013-2090

Exploit prediction scoring system (EPSS) score for CVE-2013-2090

CVSS scores for CVE-2013-2090

CWE ids for CVE-2013-2090

References for CVE-2013-2090