Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    GSD-2013-1948

    Vulnerability from gsd - Updated: 2013-04-13 00:00
    Details
    md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
    Aliases

    {
      "GSD": {
        "alias": "CVE-2013-1948",
        "description": "converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.",
        "id": "GSD-2013-1948",
        "references": [
          "https://packetstormsecurity.com/files/cve/CVE-2013-1948"
        ]
      },
      "gsd": {
        "metadata": {
          "exploitCode": "unknown",
          "remediation": "unknown",
          "reportConfidence": "confirmed",
          "type": "vulnerability"
        },
        "osvSchema": {
          "affected": [
            {
              "package": {
                "ecosystem": "RubyGems",
                "name": "md2pdf",
                "purl": "pkg:gem/md2pdf"
              }
            }
          ],
          "aliases": [
            "CVE-2013-1948",
            "OSVDB-92290"
          ],
          "details": "md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands",
          "id": "GSD-2013-1948",
          "modified": "2013-04-13T00:00:00.000Z",
          "published": "2013-04-13T00:00:00.000Z",
          "references": [
            {
              "type": "WEB",
              "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1948"
            }
          ],
          "schema_version": "1.4.0",
          "severity": [
            {
              "score": 10.0,
              "type": "CVSS_V2"
            }
          ],
          "summary": "md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution"
        }
      },
      "namespaces": {
        "cve.org": {
          "CVE_data_meta": {
            "ASSIGNER": "secalert@redhat.com",
            "ID": "CVE-2013-1948",
            "STATE": "PUBLIC"
          },
          "affects": {
            "vendor": {
              "vendor_data": [
                {
                  "product": {
                    "product_data": [
                      {
                        "product_name": "n/a",
                        "version": {
                          "version_data": [
                            {
                              "version_value": "n/a"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "vendor_name": "n/a"
                }
              ]
            }
          },
          "data_format": "MITRE",
          "data_type": "CVE",
          "data_version": "4.0",
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename."
              }
            ]
          },
          "problemtype": {
            "problemtype_data": [
              {
                "description": [
                  {
                    "lang": "eng",
                    "value": "n/a"
                  }
                ]
              }
            ]
          },
          "references": {
            "reference_data": [
              {
                "name": "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html",
                "refsource": "MISC",
                "url": "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html"
              },
              {
                "name": "92290",
                "refsource": "OSVDB",
                "url": "http://osvdb.org/92290"
              },
              {
                "name": "md2pdf-cve20131948-command-exec(83416)",
                "refsource": "XF",
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83416"
              },
              {
                "name": "59061",
                "refsource": "BID",
                "url": "http://www.securityfocus.com/bid/59061"
              }
            ]
          }
        },
        "github.com/rubysec/ruby-advisory-db": {
          "cve": "2013-1948",
          "cvss_v2": 10.0,
          "date": "2013-04-13",
          "description": "md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands",
          "gem": "md2pdf",
          "osvdb": 92290,
          "title": "md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1948"
        },
        "gitlab.com": {
          "advisories": [
            {
              "affected_range": "=0.0.1",
              "affected_versions": "Version 0.0.1",
              "credit": "@_larry0",
              "cvss_v2": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
              "cwe_ids": [
                "CWE-1035",
                "CWE-937"
              ],
              "date": "2017-08-28",
              "description": "In `md2pdf/converter.rb` we see user supplied input being passed to the command line without proper sanitization.",
              "fixed_versions": [],
              "identifier": "CVE-2013-1948",
              "identifiers": [
                "CVE-2013-1948"
              ],
              "package_slug": "gem/md2pdf",
              "pubdate": "2013-04-25",
              "solution": "Nothing yet.",
              "title": "Remote command injection",
              "urls": [
                "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html"
              ],
              "uuid": "ed17a2fc-e3e3-41a7-941b-35ffe832f48e"
            }
          ]
        },
        "nvd.nist.gov": {
          "configurations": {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:a:rob_westgeest:md2pdf:0.0.1:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          },
          "cve": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2013-1948"
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "en",
                  "value": "converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "en",
                      "value": "NVD-CWE-noinfo"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "92290",
                  "refsource": "OSVDB",
                  "tags": [],
                  "url": "http://osvdb.org/92290"
                },
                {
                  "name": "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html",
                  "refsource": "MISC",
                  "tags": [],
                  "url": "http://vapid.dhs.org/advisories/md2pdf-remote-exec.html"
                },
                {
                  "name": "59061",
                  "refsource": "BID",
                  "tags": [],
                  "url": "http://www.securityfocus.com/bid/59061"
                },
                {
                  "name": "md2pdf-cve20131948-command-exec(83416)",
                  "refsource": "XF",
                  "tags": [],
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83416"
                }
              ]
            }
          },
          "impact": {
            "baseMetricV2": {
              "cvssV2": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "integrityImpact": "COMPLETE",
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 10.0,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "severity": "HIGH",
              "userInteractionRequired": false
            }
          },
          "lastModifiedDate": "2017-08-29T01:33Z",
          "publishedDate": "2013-04-25T23:55Z"
        }
      }
    }