Lucene search

GitHub Advisory DatabaseGHSA-HXX6-P24V-WG8C

HistoryOct 24, 2017 - 6:33 p.m.

Curl Gem insufficient URL escaping command injection

2017-10-2418:33:37

CWE-94

GitHub Advisory Database

github.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.009

Percentile

82.8%

JSON

lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Affected configurations

Vulners

Node

curlcurlRange≤0.0.9

VendorProductVersionCPE
curlcurl*cpe:2.3:a:curl:curl:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
curl	curl	*	cpe:2.3:a:curl:curl::::::::

References

packetstormsecurity.com/files/120778/Ruby-Gem-Curl-Command-Execution.html

seclists.org/fulldisclosure/2013/Mar/124

www.openwall.com/lists/oss-security/2013/03/19/9

github.com/advisories/GHSA-hxx6-p24v-wg8c

github.com/rubysec/ruby-advisory-db/blob/master/gems/curl/CVE-2013-2617.yml

nvd.nist.gov/vuln/detail/CVE-2013-2617

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.009

Percentile

82.8%

JSON

Related for GHSA-HXX6-P24V-WG8C