CVE-2013-1756

The Dragonfly gem 0.7 before 0.8.6 and 0.9.x before 0.9.13 for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/52380
http://www.securityfocus.com/bid/58225
https://exchange.xforce.ibmcloud.com/vulnerabilities/82476
https://github.com/markevans/dragonfly/commit/a8775aacf9e5c81cf11bec34b7afa7f27ddfe277	Vendor Advisory
https://groups.google.com/forum/?fromgroups=#%21topic/dragonfly-users/3c3WIU3VQTo

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:mark_evans:dragonfly_gem:0.7.0:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.7.1:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.7.2:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.7.3:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.7.4:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.7.5:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.7.6:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.7.7:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.8.0:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.8.1:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.8.2:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.8.4:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.8.5:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.0:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.1:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.2:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.3:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.4:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.5:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.6:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.7:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.8:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.9:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.10:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.11:::::::*
	cpe:2.3:a:mark_evans:dragonfly_gem:0.9.12:::::::*

cpe:2.3:a:ruby_on_rails:ruby_on_rails:*:*:*:*:*:*:*:*

History

07 Nov 2023, 02:14

Type	Values Removed	Values Added
References	{'url': 'https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo', 'name': 'https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo', 'tags': [], 'refsource': 'CONFIRM'}	() https://groups.google.com/forum/?fromgroups=#%21topic/dragonfly-users/3c3WIU3VQTo -

Information

Published : 2014-06-09 19:55

Updated : 2024-02-28 12:20

NVD link : CVE-2013-1756

Mitre link : CVE-2013-1756

CVE.ORG link : CVE-2013-1756

JSON object : View

Products Affected

ruby_on_rails

ruby_on_rails

mark_evans

dragonfly_gem

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

7.5 /10