Platform
ruby
Component
cremefraiche
Fixed in
0.6.1
CVE-2013-2090 is a critical Command Injection vulnerability affecting the Creme Fraiche gem, specifically versions prior to 0.6.1. This flaw allows a remote attacker to execute arbitrary commands on a system by injecting shell metacharacters into the filename of an email attachment processed by the gem. The vulnerability impacts Ruby applications leveraging Creme Fraiche for metadata extraction and manipulation, and a fix is available in version 0.6.1.
The impact of CVE-2013-2090 is severe. An attacker can exploit this vulnerability to gain complete control over the affected system. By crafting a malicious email with a specially crafted attachment filename, the attacker can inject commands that will be executed with the privileges of the Ruby process running the Creme Fraiche gem. This could lead to data theft, system modification, or even complete system takeover. The ability to execute arbitrary commands makes this a high-risk vulnerability, potentially allowing for lateral movement within a network if the affected system has access to other resources.
CVE-2013-2090 has been publicly disclosed and a proof-of-concept may be available. While active exploitation campaigns are not widely reported, the ease of exploitation and the potential impact make it a persistent risk. It was published on 2017-10-24. The vulnerability's nature makes it a candidate for inclusion in exploit databases and automated scanning tools.
Exploit Status
EPSS
1.44% (81% percentile)
The primary mitigation for CVE-2013-2090 is to upgrade the Creme Fraiche gem to version 0.6.1 or later. If upgrading is not immediately feasible, consider implementing input validation on the attachment filenames before passing them to the Creme Fraiche gem. This can involve sanitizing the filenames to remove or escape potentially malicious characters. Web application firewalls (WAFs) can also be configured to detect and block requests containing suspicious filenames. Monitor system logs for unusual command execution patterns that might indicate exploitation attempts.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2013-2090 is a critical vulnerability in the Creme Fraiche gem, allowing attackers to execute commands via malicious email attachment filenames before version 0.6.1.
You are affected if your Ruby application uses Creme Fraiche gem versions prior to 0.6.1 and processes email attachments.
Upgrade the Creme Fraiche gem to version 0.6.1 or later. Implement input validation on attachment filenames as a temporary workaround.
While widespread active exploitation isn't confirmed, the vulnerability's ease of exploitation makes it a persistent risk and a potential target.
Refer to the CVE entry on the National Vulnerability Database (NVD) for more information: https://nvd.nist.gov/vuln/detail/CVE-2013-2090
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.