Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA0NjMtNjM5ci1xOWc5
Dragonfly Code Injection vulnerability
The Dragonfly gem 0.7 before 0.8.6 and 0.9.x before 0.9.13 for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request.
Permalink: https://github.com/advisories/GHSA-p463-639r-q9g9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA0NjMtNjM5ci1xOWc5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 7 years ago
Updated: about 1 year ago
Identifiers: GHSA-p463-639r-q9g9, CVE-2013-1756
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-1756
- https://github.com/markevans/dragonfly/commit/a8775aacf9e5c81cf11bec34b7afa7f27ddfe277
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82476
- https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo
- https://web.archive.org/web/20200229103538/http://www.securityfocus.com/bid/58225
- https://github.com/advisories/GHSA-p463-639r-q9g9
Blast Radius: 0.0
Affected Packages
rubygems:dragonfly
Dependent packages: 101Dependent repositories: 2,253
Downloads: 7,154,004 total
Affected Version Ranges: >= 0.9, < 0.9.13, >= 0.7, < 0.8.6
Fixed in: 0.9.13, 0.8.6
All affected versions: 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.8.0, 0.8.1, 0.8.2, 0.8.4, 0.8.5, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12
All unaffected versions: 0.1.0, 0.1.1, 0.1.4, 0.1.5, 0.1.6, 0.2.1, 0.3.0, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 0.6.1, 0.6.2, 0.8.6, 0.9.13, 0.9.14, 0.9.15, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.3.0, 1.4.0