CVE-2005-2337 - Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers t

CVE-2005-2337

Summary

Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin).

References

Vulnerable Configurations

cpe:2.3:a:yukihiro_matsumoto:ruby:1.6:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.2:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.2:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.3:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.3:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.4:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.4:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.5:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.5:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.6:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.6:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.7:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.6.7:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.8:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.8:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.8.2_pre1:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.8.2_pre1:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.8.2_pre2:*:*:*:*:*:*:*
cpe:2.3:a:yukihiro_matsumoto:ruby:1.8.2_pre2:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 11-10-2017 - 01:30)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

oval via4

accepted

2013-04-29T04:06:43.465-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

family

unix

oval:org.mitre.oval:def:10564

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

rhsa

id	RHSA-2005:799

rpms

irb-0:1.6.8-9.EL3.4
irb-0:1.8.1-7.EL4.2
ruby-0:1.6.8-9.EL3.4
ruby-0:1.8.1-7.EL4.2
ruby-debuginfo-0:1.6.8-9.EL3.4
ruby-debuginfo-0:1.8.1-7.EL4.2
ruby-devel-0:1.6.8-9.EL3.4
ruby-devel-0:1.8.1-7.EL4.2
ruby-docs-0:1.6.8-9.EL3.4
ruby-docs-0:1.8.1-7.EL4.2
ruby-libs-0:1.6.8-9.EL3.4
ruby-libs-0:1.8.1-7.EL4.2
ruby-mode-0:1.6.8-9.EL3.4
ruby-mode-0:1.8.1-7.EL4.2
ruby-tcltk-0:1.6.8-9.EL3.4
ruby-tcltk-0:1.8.1-7.EL4.2

refmap via4

apple	APPLE-SA-2006-05-11
bid	14909 17951
cert	TA06-132A
cert-vn	VU#160012
confirm	http://www.ruby-lang.org/en/20051003.html
debian	DSA-860 DSA-862 DSA-864
gentoo	GLSA-200510-05
mandriva	MDKSA-2005:191
misc	http://jvn.jp/jp/JVN%2362914675/index.html
sectrack	1014948
secunia	16904 17094 17098 17129 17147 17285 19130 20077
sreason	59
suse	SUSE-SR:2006:005
ubuntu	USN-195-1
vupen	ADV-2006-1779
xf	ruby-eval-security-bypass(22360)

Last major update

11-10-2017 - 01:30

Published

07-10-2005 - 23:02

Last modified

11-10-2017 - 01:30