ID CVE-2009-1904
Summary The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
References
Vulnerable Configurations
  • cpe:2.3:a:ruby-lang:ruby:1.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 29-09-2017 - 01:34)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
oval via4
accepted 2013-04-29T04:22:07.774-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
family unix
id oval:org.mitre.oval:def:9780
status accepted
submitted 2010-07-09T03:56:16-04:00
title The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
version 30
redhat via4
advisories
bugzilla
id 504958
title CVE-2009-1904 ruby: DoS vulnerability in BigDecimal
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • comment irb is earlier than 0:1.8.1-7.el4_8.3
          oval oval:com.redhat.rhsa:tst:20091140001
        • comment irb is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060427002
      • AND
        • comment ruby is earlier than 0:1.8.1-7.el4_8.3
          oval oval:com.redhat.rhsa:tst:20091140003
        • comment ruby is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060427004
      • AND
        • comment ruby-devel is earlier than 0:1.8.1-7.el4_8.3
          oval oval:com.redhat.rhsa:tst:20091140005
        • comment ruby-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060427006
      • AND
        • comment ruby-docs is earlier than 0:1.8.1-7.el4_8.3
          oval oval:com.redhat.rhsa:tst:20091140007
        • comment ruby-docs is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060427008
      • AND
        • comment ruby-libs is earlier than 0:1.8.1-7.el4_8.3
          oval oval:com.redhat.rhsa:tst:20091140009
        • comment ruby-libs is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060427010
      • AND
        • comment ruby-mode is earlier than 0:1.8.1-7.el4_8.3
          oval oval:com.redhat.rhsa:tst:20091140011
        • comment ruby-mode is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060427012
      • AND
        • comment ruby-tcltk is earlier than 0:1.8.1-7.el4_8.3
          oval oval:com.redhat.rhsa:tst:20091140013
        • comment ruby-tcltk is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060427014
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • comment ruby is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140016
        • comment ruby is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965002
      • AND
        • comment ruby-devel is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140018
        • comment ruby-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965004
      • AND
        • comment ruby-docs is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140020
        • comment ruby-docs is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965006
      • AND
        • comment ruby-irb is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140022
        • comment ruby-irb is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965008
      • AND
        • comment ruby-libs is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140024
        • comment ruby-libs is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965010
      • AND
        • comment ruby-mode is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140026
        • comment ruby-mode is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965012
      • AND
        • comment ruby-rdoc is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140028
        • comment ruby-rdoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965014
      • AND
        • comment ruby-ri is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140030
        • comment ruby-ri is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965016
      • AND
        • comment ruby-tcltk is earlier than 0:1.8.5-5.el5_3.7
          oval oval:com.redhat.rhsa:tst:20091140032
        • comment ruby-tcltk is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070965018
rhsa
id RHSA-2009:1140
released 2009-07-02
severity Moderate
title RHSA-2009:1140: ruby security update (Moderate)
rpms
  • irb-0:1.8.1-7.el4_8.3
  • ruby-0:1.8.1-7.el4_8.3
  • ruby-0:1.8.5-5.el5_3.7
  • ruby-debuginfo-0:1.8.1-7.el4_8.3
  • ruby-debuginfo-0:1.8.5-5.el5_3.7
  • ruby-devel-0:1.8.1-7.el4_8.3
  • ruby-devel-0:1.8.5-5.el5_3.7
  • ruby-docs-0:1.8.1-7.el4_8.3
  • ruby-docs-0:1.8.5-5.el5_3.7
  • ruby-irb-0:1.8.5-5.el5_3.7
  • ruby-libs-0:1.8.1-7.el4_8.3
  • ruby-libs-0:1.8.5-5.el5_3.7
  • ruby-mode-0:1.8.1-7.el4_8.3
  • ruby-mode-0:1.8.5-5.el5_3.7
  • ruby-rdoc-0:1.8.5-5.el5_3.7
  • ruby-ri-0:1.8.5-5.el5_3.7
  • ruby-tcltk-0:1.8.1-7.el4_8.3
  • ruby-tcltk-0:1.8.5-5.el5_3.7
refmap via4
apple APPLE-SA-2010-03-29-1
bid 35278
confirm
fedora FEDORA-2009-13066
gentoo GLSA-200906-02
mandriva MDVSA-2009:160
mlist
  • [pkgsrc-changes] 20090610 CVS commit: pkgsrc/lang/ruby18-base
  • [rubyonrails-security] 20090610 DoS Vulnerability in Ruby (CVE-2009-1904)
osvdb 55031
sectrack 1022371
secunia
  • 35399
  • 35527
  • 35593
  • 35699
  • 35937
  • 37705
slackware SSA:2009-170-02
ubuntu USN-805-1
vupen ADV-2009-1563
xf ruby-bigdecimal-dos(51032)
Last major update 29-09-2017 - 01:34
Published 11-06-2009 - 21:30
Last modified 29-09-2017 - 01:34
Back to Top