CVE-2013-1911: Input Validation
First published: Wed Apr 03 2013(Updated: )
`lib/ldoce/word.rb` in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mark Burns Ldoce | =0.0.2 | |
| Ruby-lang Ruby | ||
| rubygems/ldoce | <=0.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/bugtraq/2013-04/0010.html
- http://osvdb.org/91870
- http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html
- http://www.openwall.com/lists/oss-security/2013/03/31/3
- http://www.securityfocus.com/bid/58783
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83163
- https://nvd.nist.gov/vuln/detail/CVE-2013-1911
- https://web.archive.org/web/20200229102422/http://www.securityfocus.com/bid/58783
- https://github.com/markburns/ldoce/issues/1
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ldoce/CVE-2013-1911.yml
- https://github.com/advisories/GHSA-g266-3crh-h7gj (Advisory)
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-g266-3crh-h7gj
- alias/CVE-2013-1911
- collector/github-advisory
- agent/type
- agent/event
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- agent/weakness
- agent/references
- collector/mitre-cve
- source/MITRE
- vendor/mark burns
- canonical/mark burns ldoce
- version/mark burns ldoce/0.0.2
- vendor/ruby-lang
- canonical/ruby-lang ruby
- package-manager/rubygems