[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457)
From: Jon Yurek <jyurek () thoughtbot ! com>
Date: 2013-10-22 20:18:05
Message-ID: 777A8DF3-2A37-46F8-A3B3-91595AC04CEF () thoughtbot ! com
[Download RAW message or body]
Recursive Interpolation Vulnerability in Cocaine rubygem
There is a vulnerability interpolating variabled recursively in Cocaine. This vulnerability has \
been assigned the CVE identifier CVE-2013-4457
Versions Affected: 0.4.x, 0.5.1, 0.5.2
Not affected: 0.3.x
Fixed Versions: 0.5.3
Impact
------
Due to the method of variable interpolation in Cocaine 0.4.0 to 0.5.2, an attacker may be able \
to inject hostile commands into a command line via a crafted hash object which are not properly \
escaped.
The impact is lessened on Ruby version 1.8.* because hashed are not ordered by default, and so \
an attacker must rely on luck for the attack to work.
An attack of this sort cannot take place if there is only one value being interpolated into the \
command line.
Users of the Paperclip gem are encouraged to upgrade to the latest version of Cocaine. Users of \
the 2.7 branch of Paperclip will not need to upgrade as the version of Cocaine it uses is not \
vulnerable to this attack.
Releases
--------
Version 0.5.3 fixes the problem involved and is available at rubygems.org
Credits
-------
Thanks to Holger Just for reporting this!
--
Jon Yurek
http://thoughtbot.com=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic