GHSA-mgx3-27hr-mfgp

Suggest an improvement
Source
https://github.com/advisories/GHSA-mgx3-27hr-mfgp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-mgx3-27hr-mfgp/GHSA-mgx3-27hr-mfgp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mgx3-27hr-mfgp
Aliases
  • CVE-2013-1801
Published
2017-10-24T18:33:37Z
Modified
2024-02-16T07:59:57.424644Z
Summary
HTTParty does not restrict casts of string values
Details

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.

References

Affected packages

RubyGems / httparty

Package

Name
httparty
Purl
pkg:gem/httparty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.0

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.1.3
0.1.5
0.1.6
0.1.7
0.1.8
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.3.0
0.3.1
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.5.0
0.5.1
0.5.2
0.6.0
0.6.1
0.7.0
0.7.2
0.7.3
0.7.4
0.7.6
0.7.7
0.7.8
0.8.0
0.8.1
0.8.2
0.8.3
0.9.0

Database specific

{
    "last_known_affected_version_range": "<= 0.9.0"
}