CVE-2008-3657

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen.

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401

http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

http://secunia.com/advisories/31430

http://secunia.com/advisories/31697

http://secunia.com/advisories/32165

http://secunia.com/advisories/32219

http://secunia.com/advisories/32255

http://secunia.com/advisories/32256

http://secunia.com/advisories/32371

http://secunia.com/advisories/33178

http://secunia.com/advisories/35074

http://security.gentoo.org/glsa/glsa-200812-17.xml

http://support.apple.com/kb/HT3549

http://support.avaya.com/elmodocs2/security/ASA-2008-424.htm

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0264

http://www.debian.org/security/2008/dsa-1651

http://www.debian.org/security/2008/dsa-1652

http://www.redhat.com/support/errata/RHSA-2008-0897.html

http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/

http://www.securityfocus.com/archive/1/495884/100/0/threaded

http://www.securityfocus.com/bid/30644

http://www.securitytracker.com/id?1020652

http://www.us-cert.gov/cas/techalerts/TA09-133A.html

http://www.vupen.com/english/advisories/2008/2334

http://www.vupen.com/english/advisories/2009/1297

https://exchange.xforce.ibmcloud.com/vulnerabilities/44372

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9793

https://usn.ubuntu.com/651-1/

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00259.html

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00299.html

Details

Source: MITRE

Published: 2008-08-13

Updated: 2018-10-11

Type: CWE-20

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:ruby-lang:ruby:1.6.8:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.1:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.1:-9:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.2:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.2:preview2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.2:preview3:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.2:preview4:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.3:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.3:preview1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.3:preview2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.3:preview3:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.4:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.4:preview1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.4:preview2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.4:preview3:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* versions up to 1.8.5 (inclusive)

cpe:2.3:a:ruby-lang:ruby:1.8.5:p11:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:p113:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:p115:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:p12:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:p2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:p35:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:preview1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:preview2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:preview3:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:preview4:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.5:preview5:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.6:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.6:p110:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.6:p114:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.6:preview1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.6:preview2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.6:preview3:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p17:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p22:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p71:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:preview1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:preview2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:preview3:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:preview4:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:*

Tenable Plugins

View all (20 total)

IDNameProductFamilySeverity
67752Oracle Linux 4 / 5 : ruby (ELSA-2008-0897)NessusOracle Linux Local Security Checks
high
60485Scientific Linux Security Update : ruby on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
51760SuSE 10 Security Update : ruby (ZYPP Patch Number 6338)NessusSuSE Local Security Checks
high
42032openSUSE 10 Security Update : ruby (ruby-6339)NessusSuSE Local Security Checks
high
41452SuSE 11 Security Update : ruby (SAT Patch Number 1073)NessusSuSE Local Security Checks
high
41312SuSE9 Security Update : ruby (YOU Patch Number 12452)NessusSuSE Local Security Checks
high
40306openSUSE Security Update : ruby (ruby-1070)NessusSuSE Local Security Checks
high
40122openSUSE Security Update : ruby (ruby-1070)NessusSuSE Local Security Checks
high
38744Mac OS X 10.5.x < 10.5.7 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
38018Mandriva Linux Security Advisory : ruby (MDVSA-2008:226)NessusMandriva Local Security Checks
high
37068Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : ruby1.8 vulnerabilities (USN-651-1)NessusUbuntu Local Security Checks
high
35188GLSA-200812-17 : Ruby: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
34502CentOS 4 / 5 : ruby (CESA-2008:0897)NessusCentOS Local Security Checks
high
34466RHEL 4 / 5 : ruby (RHSA-2008:0897)NessusRed Hat Local Security Checks
high
34388Debian DSA-1652-1 : ruby1.9 - several vulnerabilitiesNessusDebian Local Security Checks
high
34387Debian DSA-1651-1 : ruby1.8 - several vulnerabilitiesNessusDebian Local Security Checks
high
34380Fedora 9 : ruby-1.8.6.287-2.fc9 (2008-8738)NessusFedora Local Security Checks
high
34379Fedora 8 : ruby-1.8.6.287-2.fc8 (2008-8736)NessusFedora Local Security Checks
high
5023Mac OS X 10.5 < 10.5.7 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
800792Mac OS X 10.5 < 10.5.7 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high