Miggo Logo
Miggo Vulnerability Database
CVE-2013-4203

CVE-2013-4203: rgpg Code Injection vulnerability

7.5

CVSS Score

Basic Information

CVE ID
CVE-2013-4203
GHSA ID
GHSA-jg4m-q6w8-vrjp
EPSS Score
0.79685%
CWE
CWE-94
Published
10/24/2017
Updated
11/5/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
rgpgrubygems< 0.2.30.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Multiple sources (CVE description, GHSA, Openwall discussion) explicitly name GpgHelper.run_gpg as the vulnerable function.
  2. The code pattern matches classic command injection - unsanitized user input passed directly to system() with shell operators.
  3. The vulnerability was patched in 0.2.3, and historical context shows Ruby security advisories typically address this type of system() call misuse.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `s*l*.run_*p*` *un*tion in `li*/r*p*/*p*_**lp*r.r*` in t** r*p* **m ***or* *.*.* *or Ru*y *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* s**ll m*t****r**t*rs in unsp**i*i** v**tors.

Reasoning

*. Multipl* sour**s (*V* **s*ription, **S*, Op*nw*ll *is*ussion) *xpli*itly n*m* *p***lp*r.run_*p* *s t** vuln*r**l* *un*tion. *. T** *o** p*tt*rn m*t***s *l*ssi* *omm*n* inj**tion - uns*nitiz** us*r input p*ss** *ir**tly to syst*m() wit* s**ll op*r*