mailing list archives
Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457)
From: Jon Yurek <jyurek () thoughtbot com>
Date: Tue, 22 Oct 2013 16:18:05 -0400
Recursive Interpolation Vulnerability in Cocaine rubygem
There is a vulnerability interpolating variabled recursively in Cocaine. This vulnerability has been assigned the CVE
Versions Affected: 0.4.x, 0.5.1, 0.5.2
Not affected: 0.3.x
Fixed Versions: 0.5.3
Due to the method of variable interpolation in Cocaine 0.4.0 to 0.5.2, an attacker may be able to inject hostile
commands into a command line via a crafted hash object which are not properly escaped.
The impact is lessened on Ruby version 1.8.* because hashed are not ordered by default, and so an attacker must rely on
luck for the attack to work.
An attack of this sort cannot take place if there is only one value being interpolated into the command line.
Users of the Paperclip gem are encouraged to upgrade to the latest version of Cocaine. Users of the 2.7 branch of
Paperclip will not need to upgrade as the version of Cocaine it uses is not vulnerable to this attack.
Version 0.5.3 fixes the problem involved and is available at rubygems.org
Thanks to Holger Just for reporting this!
- Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457) Jon Yurek (Oct 22)