Fluid Attacks Database

Description

HTTParty does not restrict casts of string values The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	httparty	>=0 <0.10.0	0.10.0

Aliases

1. CVE-2013-18012. NVD-2013-18013. OSV-2013-18014. GCVE-2013-1801

References

1. https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c0312. https://bugzilla.redhat.com/show_bug.cgi?id=9172293. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/httparty/CVE-2013-1801.yml4. https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately5. https://web.archive.org/web/20200229101716/http://www.securityfocus.com/bid/58260

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.