CVE-2013-1801 — Injection in Httparty

CWE-74 — Injection9 documents5 sources

Severity

7.5HIGHNVD

EPSS

3.0%

top 13.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jnunemaker Httparty

Timeline

PublishedApr 9

Latest updateOct 24

Description

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶RubyGemsjnunemaker/httparty< 0.10.0

▶NVDjnunemaker/httparty0.9.0+45

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

HTTParty does not restrict casts of string values↗2017-10-24

▶

OSV

HTTParty does not restrict casts of string values↗2017-10-24

▶

CVEList

CVE-2013-1801: The httparty gem 0↗2013-04-09

▶

💬Community

Bugzilla

CVE-2013-6368 kvm: cross page vapic_addr access↗2013-11-19

▶

Bugzilla

CVE-2013-6367 kvm: division by zero in apic_get_tmcct()↗2013-11-19

▶

Bugzilla

CVE-2013-1801 Ruby Gem httparty: YAML parameter parsing vulnerability [fedora-all]↗2013-03-02

▶

Bugzilla

CVE-2013-1801 Ruby Gem httparty: YAML parameter parsing vulnerability [epel-all]↗2013-03-02

▶

Bugzilla

CVE-2013-1801 rubygem-httparty: YAML parameter parsing vulnerability↗2013-03-02

▶