CVE-2013-4413

wicked < 1.0.1 - Path Traversal via Step Parameter

Title source: llm

Description

Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step.

References (5)

Core 5

Core References

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/55151

Exploit, Patch x_refsource_confirm

https://github.com/schneems/wicked/commit/fe31bb2533fffc9d098c69ebeb7afc3b80509f53

View Exploit ZIP pw:eip

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/87783

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/62891

Patch mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2013/q4/43

Scores

EPSS 0.0081

EPSS Percentile 74.5%

Details

CWE

CWE-22

Status published

Products (21)

rubygems/wicked 0 - 1.0.1RubyGems

schneems/wicked 0.0.1

schneems/wicked 0.0.2

schneems/wicked 0.1.0

schneems/wicked 0.1.1

schneems/wicked 0.1.2

schneems/wicked 0.1.3

schneems/wicked 0.1.4

schneems/wicked 0.1.5

schneems/wicked 0.1.6

... and 11 more

Published Mar 11, 2014

Tracked Since Feb 18, 2026