CVE-2013-4489

The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:5.2.0:::::::*
	cpe:2.3:a:gitlab:gitlab:5.3.0:::::::*
	cpe:2.3:a:gitlab:gitlab:5.4.0:::::::*
	cpe:2.3:a:gitlab:gitlab:6.0.0:::::::*
	cpe:2.3:a:gitlab:gitlab:6.1.0:::::::*
	cpe:2.3:a:gitlab:gitlab:6.2.0:::::::*
	cpe:2.3:a:gitlab:gitlab:6.2.1:::::::*
	cpe:2.3:a:gitlab:gitlab:6.2.2:::::::*

History

No history.

Information

Published : 2014-05-17 20:55

Updated : 2023-12-10 11:31

NVD link : CVE-2013-4489

Mitre link : CVE-2013-4489

CVE.ORG link : CVE-2013-4489

JSON object : View

Products Affected

gitlab

gitlab

CWE

NVD-CWE-Other

{"id": "CVE-2013-4489", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-05-17T20:55:02.087", "references": [{"url": "https://www.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/", "tags": ["Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature."}, {"lang": "es", "value": "La gema Grit para Ruby, utilizado en GitLab 5.2 anterior a 5.4.1 y 6.x anterior a 6.2.3, permite a usuarios remotos autenticados ejecutar comandos arbitrarios, tal y como fue demostrado por el cuadro de b\u00fasqueda para la funcionalidad de b\u00fasqueda de c\u00f3digo de GitLab."}], "lastModified": "2014-05-19T16:38:35.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:5.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D61A37D-1A91-4C85-9737-E54670401FC6"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:5.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81CB5B34-09DE-4589-824C-97A6D696BD43"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:5.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9C5A188-6B92-46A2-9345-386F90BE362C"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:6.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E82B301E-25BD-4438-9696-DF3E290F32B7"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:6.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9B36BD3-69FA-4A22-9377-E86B8E9DFF8F"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:6.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDD0A408-7007-4655-A159-12472E4A779E"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:6.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A46F6D6-411B-428A-ACD4-01707433DA88"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:6.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE2BA4DB-3D3E-4DB2-A35C-52B89D357606"}], "operator": "OR"}]}], "evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/77.html\n\n\"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')\"", "sourceIdentifier": "secalert@redhat.com"}