jnunemaker/httparty
CVE History
| CVE | Affected | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|---|
| < 0.24.0 | 8.2 HIGH | — | ||
httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd. | ||||
| = *, < 0.21.0 | 5.3 MEDIUM | — | ||
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written. | ||||
| = 0.7.3, = 0.8.0, = *, = 0.6.1, = 0.2.2, = 0.7.7, = 0.5.0, = 0.3.1, = 0.1.8, = 0.7.1, = 0.7.0, = 0.2.9, = 0.2.8, = 0.2.7, = 0.1.1, = 0.1.0, = 0.7.8, = 0.4.5, = 0.4.2, = 0.2.0, = 0.7.4, = 0.5.2, = 0.1.2, = 0.7.5, = 0.6.0, = 0.4.0, = 0.1.3, = 0.7.2, = 0.2.10, = 0.8.2, = 0.8.1, = 0.4.4, = 0.4.3, = 0.2.1, = 0.1.7, = 0.7.6, = 0.4.1, = 0.2.5, = 0.2.3, = 0.1.5, = 0.8.3, = 0.5.1, = 0.3.0, = 0.2.6, = 0.2.4, = 0.1.6, <= 0.9.0 | — | 7.5 HIGH | ||
The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156. | ||||