Platform
ruby
Component
command_wrap
Fixed in
0.6.3
CVE-2013-1875 describes a Command Injection vulnerability found in the commandwrap Ruby gem. This flaw allows attackers to execute arbitrary commands on the system by injecting malicious shell metacharacters into URLs or filenames processed by the gem. The vulnerability affects versions of commandwrap prior to 0.6.2, and a fix is available in later versions.
The impact of CVE-2013-1875 is significant, as a successful exploit allows for remote command execution. An attacker could leverage this vulnerability to gain complete control over the affected system, potentially leading to data theft, system compromise, and further lateral movement within the network. The ability to inject shell commands directly through URLs or filenames makes this vulnerability particularly concerning, as it can be exploited without requiring authentication or complex interaction. This vulnerability shares similarities with other command injection flaws, where improper sanitization of user-supplied input allows attackers to execute arbitrary code.
CVE-2013-1875 was published in 2017, indicating a significant delay between discovery and public disclosure. While no active exploitation campaigns are publicly known, the vulnerability's ease of exploitation and the potential for remote command execution make it a persistent risk. There are publicly available proof-of-concept exploits demonstrating the vulnerability. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.73% (73% percentile)
The primary mitigation for CVE-2013-1875 is to upgrade to a version of the command_wrap gem that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization to filter out potentially malicious shell metacharacters. While a direct WAF rule is difficult to implement, a proxy could be configured to inspect URLs and filenames for suspicious characters. Thoroughly test any configuration changes in a non-production environment before deploying them to production. After upgrading, confirm the fix by attempting to inject shell metacharacters into a URL or filename processed by the gem and verifying that the commands are not executed.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2013-1875 is a Command Injection vulnerability affecting versions of the command_wrap Ruby gem prior to 0.6.2. It allows attackers to execute arbitrary commands through URLs or filenames.
You are affected if your application uses the command_wrap gem and you are running a version equal to or less than 0.6.2. Check your gem versions immediately.
Upgrade to a patched version of the command_wrap gem (version 0.6.3 or later). If upgrading is not possible, implement strict input validation and sanitization.
While no active campaigns are publicly known, the vulnerability's ease of exploitation makes it a persistent risk. Proof-of-concept exploits are available.
Refer to the Ruby Security Advisory for details: https://rubysec.com/advisories/CVE-2013-1875
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.