Miggo Logo
Miggo Vulnerability Database
CVE-2013-4413

CVE-2013-4413: Wicked gem contains Path traversal vulnerability

5

CVSS Score

Basic Information

CVE ID
CVE-2013-4413
GHSA ID
GHSA-rprj-g6xc-p5gq
EPSS Score
0.7473%
CWE
CWE-22
Published
10/24/2017
Updated
7/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
wickedrubygems< 1.0.11.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerability was patched by adding ERB::Util.url_encode() to sanitize the_step in render_step. The unencoded the_step parameter was passed directly to render(), enabling path traversal via crafted URLs. The vulnerability reports explicitly reference this file and method as the attack vector, and the fix directly addresses this function's input handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Wi*k** **m prior to v*.*.* *llows * r*mot* *tt**k*r to tr*v*rs* *ir**tori*s on t** syst*m vi* * vuln*r**ility in `*ontroll*r/*on**rns/r*n**r_r**ir**t.r*`. *n *tt**k*r **n s*n* * sp**i*lly-*r**t** URL r*qu*st *ont*inin* `%**%**%**` *ir**tory tr*v*

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s p*t**** *y ***in* *R*::Util.url_*n*o**() to s*nitiz* t**_st*p in r*n**r_st*p. T** un*n*o*** t**_st*p p*r*m*t*r w*s p*ss** *ir**tly to r*n**r(), *n**lin* p*t* tr*v*rs*l vi* *r**t** URLs. T** vuln*r**ility r*