GHSA-mgx3-27hr-mfgp

Source

https://github.com/advisories/GHSA-mgx3-27hr-mfgp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-mgx3-27hr-mfgp/GHSA-mgx3-27hr-mfgp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mgx3-27hr-mfgp

Aliases

CVE-2013-1801

Published

2017-10-24T18:33:37Z

Modified

2024-11-29T05:40:00.539499Z

Summary

HTTParty does not restrict casts of string values

Details

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.

Database specific

{
    "nvd_published_at": "2013-04-09T20:55:01Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:46:12Z"
}

References

Affected packages

RubyGems / httparty

Package

Name: httparty
Purl: pkg:gem/httparty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.10.0

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.5

0.1.6

0.1.7

0.1.8

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.3.0

0.3.1

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.7.0

0.7.2

0.7.3

0.7.4

0.7.6

0.7.7

0.7.8

0.8.0

0.8.1

0.8.2

0.8.3

0.9.0

Database specific

{
    "last_known_affected_version_range": "<= 0.9.0"
}