CVE-2013-4413 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ruby-lang	Ruby
Schneems	Wicked

Configuration 1 [-]

AND

OR	cpe:2.3:a:schneems:wicked::::::ruby::*
	cpe:2.3:a:schneems:wicked:0.0.1:::::ruby::
	cpe:2.3:a:schneems:wicked:0.0.2:::::ruby::
	cpe:2.3:a:schneems:wicked:0.1.0:::::ruby::
	cpe:2.3:a:schneems:wicked:0.1.1:::::ruby::
	cpe:2.3:a:schneems:wicked:0.1.2:::::ruby::
	cpe:2.3:a:schneems:wicked:0.1.3:::::ruby::
	cpe:2.3:a:schneems:wicked:0.1.4:::::ruby::
	cpe:2.3:a:schneems:wicked:0.1.5:::::ruby::
	cpe:2.3:a:schneems:wicked:0.1.6:::::ruby::
	cpe:2.3:a:schneems:wicked:0.2.0:::::ruby::
	cpe:2.3:a:schneems:wicked:0.3.0:::::ruby::
	cpe:2.3:a:schneems:wicked:0.3.1:::::ruby::
	cpe:2.3:a:schneems:wicked:0.3.2:::::ruby::
	cpe:2.3:a:schneems:wicked:0.3.3:::::ruby::
	cpe:2.3:a:schneems:wicked:0.3.4:::::ruby::
	cpe:2.3:a:schneems:wicked:0.4.0:::::ruby::
	cpe:2.3:a:schneems:wicked:0.5.0:::::ruby::
	cpe:2.3:a:schneems:wicked:0.6.0:::::ruby::
	cpe:2.3:a:schneems:wicked:0.6.1:::::ruby::

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/oss-sec/2013/q4/43
http://secunia.com/advisories/55151
http://www.securityfocus.com/bid/62891
https://exchange.xforce.ibmcloud.com/vulnerabilities/87783
https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-03-11T15:00:00

Updated: 2024-08-06T16:45:14.615Z

Reserved: 2013-06-12T00:00:00

Link: CVE-2013-4413

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-03-11T19:37:02.880

Modified: 2025-04-12T10:46:40.837

Link: CVE-2013-4413

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-10-08T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "55151", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55151"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53"}, {"name": "wicked-gem-cve20134413-dir-trav(87783)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87783"}, {"name": "62891", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/62891"}, {"name": "[oss-security] 20131009 Re: Vulnerability Reported in my Ruby Gem", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2013/q4/43"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4413", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "55151", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55151"}, {"name": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53", "refsource": "CONFIRM", "url": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53"}, {"name": "wicked-gem-cve20134413-dir-trav(87783)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87783"}, {"name": "62891", "refsource": "BID", "url": "http://www.securityfocus.com/bid/62891"}, {"name": "[oss-security] 20131009 Re: Vulnerability Reported in my Ruby Gem", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2013/q4/43"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:45:14.615Z"}, "title": "CVE Program Container", "references": [{"name": "55151", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/55151"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53"}, {"name": "wicked-gem-cve20134413-dir-trav(87783)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87783"}, {"name": "62891", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/62891"}, {"name": "[oss-security] 20131009 Re: Vulnerability Reported in my Ruby Gem", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2013/q4/43"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4413", "datePublished": "2014-03-11T15:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2024-08-06T16:45:14.615Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneems:wicked:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "7BB24A72-A86D-4C16-BAC7-CE3F433A8C0C", "versionEndIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.0.1:*:*:*:*:ruby:*:*", "matchCriteriaId": "11C26B86-CDFA-45F3-BD36-E37C3446F9DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.0.2:*:*:*:*:ruby:*:*", "matchCriteriaId": "45008888-E02B-4832-B268-733849D30412", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.1.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "24678459-FB79-4DE2-9B93-6678C0E59E91", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.1.1:*:*:*:*:ruby:*:*", "matchCriteriaId": "9575E1DD-F8FD-4D30-94FC-0903A5C880C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.1.2:*:*:*:*:ruby:*:*", "matchCriteriaId": "1D406277-1F89-4B5B-B2DE-FF875F16045E", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.1.3:*:*:*:*:ruby:*:*", "matchCriteriaId": "06B2A5FC-F95C-4645-9944-1556441EFCE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.1.4:*:*:*:*:ruby:*:*", "matchCriteriaId": "EAEC4F02-2F65-4102-9C20-FD09439340FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.1.5:*:*:*:*:ruby:*:*", "matchCriteriaId": "8012CC6B-147B-4098-AEF5-273662549248", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.1.6:*:*:*:*:ruby:*:*", "matchCriteriaId": "02949A0C-52BA-4519-9236-116062644E13", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.2.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "1076DC7A-C9FE-4D59-9E83-F018FDAC67F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.3.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "A97B76A9-B09F-4014-9C70-49642C04A375", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.3.1:*:*:*:*:ruby:*:*", "matchCriteriaId": "B9680911-AD8E-4B3E-A766-3EC01C8ED64E", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.3.2:*:*:*:*:ruby:*:*", "matchCriteriaId": "B040BF93-15A9-4500-86A3-573D2FEA1BE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.3.3:*:*:*:*:ruby:*:*", "matchCriteriaId": "09E23352-72CD-4B0A-89A4-DE01A0F82E57", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.3.4:*:*:*:*:ruby:*:*", "matchCriteriaId": "8B3F55EB-B6CC-4AE7-8935-CE0F2BFB10A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.4.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "EF94B020-F2D9-4F78-A924-28EFFEA7D1D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.5.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "C9288672-11DB-4F74-A6A1-61C2BE06C685", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.6.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "82C3CCAE-F8EB-4AFD-8392-22685DB19428", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneems:wicked:0.6.1:*:*:*:*:ruby:*:*", "matchCriteriaId": "7956F067-453E-438E-A330-B0B4CB03265E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "264DD094-A8CD-465D-B279-C834DDA5F79C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en controller/concerns/render_redirect.rb en la gema Wicked anterior a 1.0.1 para Ruby permite a atacantes remotos leer archivos arbitrarios a trav\u00e9s de un %2E%2E%2F (punto punto barra codificado) en el paso."}], "id": "CVE-2013-4413", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-03-11T19:37:02.880", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://seclists.org/oss-sec/2013/q4/43"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/55151"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/62891"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87783"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://seclists.org/oss-sec/2013/q4/43"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/55151"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/62891"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87783"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}