The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| john_nunemaker | crack | * |
| john_nunemaker | crack | 0.2.0 |
| john_nunemaker | crack | 0.1.8 |
| john_nunemaker | crack | 0.3.0 |
The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| john_nunemaker | httparty | 0.4.0 |
| john_nunemaker | httparty | 0.4.1 |
| john_nunemaker | httparty | 0.1.1 |
| john_nunemaker | httparty | 0.5.2 |
| john_nunemaker | httparty | 0.7.8 |
| john_nunemaker | httparty | 0.2.0 |
| john_nunemaker | httparty | 0.2.1 |
| john_nunemaker | httparty | 0.5.1 |
| john_nunemaker | httparty | 0.8.0 |
| john_nunemaker | httparty | 0.4.3 |
| john_nunemaker | httparty | 0.7.0 |
| john_nunemaker | httparty | 0.2.2 |
| john_nunemaker | httparty | 0.5.0 |
| john_nunemaker | httparty | 0.7.7 |
| john_nunemaker | httparty | 0.2.3 |
| john_nunemaker | httparty | 0.7.3 |
| john_nunemaker | httparty | 0.1.3 |
| john_nunemaker | httparty | 0.1.5 |
| john_nunemaker | httparty | 0.7.5 |
| john_nunemaker | httparty | 0.4.2 |
| john_nunemaker | httparty | 0.7.6 |
| john_nunemaker | httparty | 0.2.6 |
| john_nunemaker | httparty | 0.7.2 |
| john_nunemaker | httparty | 0.7.4 |
| john_nunemaker | httparty | 0.4.4 |
| john_nunemaker | httparty | 0.2.8 |
| john_nunemaker | httparty | 0.2.10 |
| john_nunemaker | httparty | 0.8.2 |
| john_nunemaker | httparty | * |
| john_nunemaker | httparty | 0.1.8 |
| john_nunemaker | httparty | 0.3.0 |
| john_nunemaker | httparty | 0.2.5 |
| john_nunemaker | httparty | 0.4.5 |
| john_nunemaker | httparty | 0.6.0 |
| john_nunemaker | httparty | 0.2.4 |
| john_nunemaker | httparty | 0.2.9 |
| john_nunemaker | httparty | 0.1.7 |
| john_nunemaker | httparty | 0.8.3 |
| john_nunemaker | httparty | 0.8.1 |
| john_nunemaker | httparty | 0.1.0 |
| john_nunemaker | httparty | 0.1.2 |
| john_nunemaker | httparty | 0.7.1 |
| john_nunemaker | httparty | 0.2.7 |
| john_nunemaker | httparty | 0.3.1 |
| john_nunemaker | httparty | 0.1.6 |
| john_nunemaker | httparty | 0.6.1 |
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| john_nunemaker | httparty | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 39 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 38 |