Executive Summary
Summary | |
---|---|
Title | Ruby vulnerability |
Informations | |||
---|---|---|---|
Name | USN-195-1 | First vendor Publication | 2005-10-10 |
Vendor | Ubuntu | Last vendor Modification | 2005-10-10 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: ruby1.8 The problem can be corrected by upgrading the affected package to version 1.8.1+1.8.2pre2-3ubuntu0.3 (for Ubuntu 4.10), or 1.8.1+1.8.2pre4-1ubuntu0.2 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. However, if you have permanently running server applications which are implemented in Ruby and use "safe levels", you need to restart them. Details follow: The object oriented scripting language Ruby supports safely executing untrusted code with two mechanisms: safe level and taint flag on objects. Dr. Yutaka Oiwa discovered a vulnerability that allows Ruby methods to bypass these mechanisms. In systems which use this feature, this could be exploited to execute Ruby code beyond the restrictions specified in each safe level. |
Original Source
Url : http://www.ubuntu.com/usn/USN-195-1 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10564 | |||
Oval ID: | oval:org.mitre.oval:def:10564 | ||
Title: | Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin). | ||
Description: | Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin). | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-2337 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200510-05 (ruby) File : nvt/glsa_200510_05.nasl |
2008-09-04 | Name : FreeBSD Ports: ruby, ruby_static File : nvt/freebsd_ruby2.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 860-1 (ruby) File : nvt/deb_860_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 862-1 (ruby1.8) File : nvt/deb_862_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 864-1 (ruby1.8) File : nvt/deb_864_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
19610 | Ruby eval.c safe_level Restriction Bypass |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2006-07-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2005-799.nasl - Type : ACT_GATHER_INFO |
2006-05-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_1daea60a471911dab5c60004614cc33d.nasl - Type : ACT_GATHER_INFO |
2006-05-12 | Name : The remote operating system is missing a vendor-supplied patch. File : macosx_SecUpd2006-003.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-195-1.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-196-1.nasl - Type : ACT_GATHER_INFO |
2005-11-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-191.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-864.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-799.nasl - Type : ACT_GATHER_INFO |
2005-10-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-860.nasl - Type : ACT_GATHER_INFO |
2005-10-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-862.nasl - Type : ACT_GATHER_INFO |
2005-10-11 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200510-05.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:02:27 |
|