Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.

According to the versions of the ruby packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Ruby 1.8.7 before patchlevel 371, 1.9.3 before     patchlevel 286, and 2.0 before revision r37068 allows     context-dependent attackers to bypass safe-level     restrictions and modify untainted strings via the     name_err_mesg_to_str API function, which marks the     string as tainted, a different vulnerability than     CVE-2011-1005.(CVE-2012-4466)

  - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel     551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x     before 2.1.5 allows remote attackers to cause a denial     of service (CPU and memory consumption) a crafted XML     document containing an empty string in an entity that     is used in a large number of nested entity references,     aka an XML Entity Expansion (XEE) attack. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2013-1821 and CVE-2014-8080.(CVE-2014-8090)

  - Algorithmic complexity vulnerability in     Gem::Version::VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.1,     1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x     before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression.(CVE-2013-4287)

  - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x     before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote     attackers to cause a denial of service (memory     consumption) via a crafted XML document, aka an XML     Entity Expansion (XEE) attack.(CVE-2014-8080)

  - The OpenSSL::SSL.verify_certificate_identity function     in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374,     1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does     not properly handle a '\\0' character in a domain name     in the Subject Alternative Name field of an X.509     certificate, which allows man-in-the-middle attackers     to spoof arbitrary SSL servers via a crafted     certificate issued by a legitimate Certification     Authority, a related issue to     CVE-2009-2408.(CVE-2013-4073)

  - The rb_get_path_check function in file.c in Ruby 1.9.3     before patchlevel 286 and Ruby 2.0.0 before r37163     allows context-dependent attackers to create files in     unexpected locations or with unexpected names via a NUL     byte in a file path.(CVE-2012-4522)

  - (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3     patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do     not perform taint checking for native functions, which     allows context-dependent attackers to bypass intended     $SAFE level restrictions.(CVE-2013-2065)

  - Algorithmic complexity vulnerability in     Gem::Version::ANCHORED_VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.2,     1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x     before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression. NOTE: this issue is due to an incomplete     fix for CVE-2013-4287.(CVE-2013-4363)

  - Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before     r37575 computes hash values without properly     restricting the ability to trigger hash collisions     predictably, which allows context-dependent attackers     to cause a denial of service (CPU consumption) via     crafted input to an application that maintains a hash     table, as demonstrated by a universal multicollision     attack against a variant of the MurmurHash2 algorithm,     a different vulnerability than     CVE-2011-4815.(CVE-2012-5371)

  - Off-by-one error in the encodes function in pack.c in     Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when     using certain format string specifiers, allows     context-dependent attackers to cause a denial of     service (segmentation fault) via vectors that trigger a     stack-based buffer overflow.(CVE-2014-4975)

  - Heap-based buffer overflow in Ruby 1.8, 1.9 before     1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0     preview2, and trunk before revision 43780 allows     context-dependent attackers to cause a denial of     service (segmentation fault) and possibly execute     arbitrary code via a string that is converted to a     floating point value, as demonstrated using (1) the     to_f method or (2) JSON.parse.(CVE-2013-4164)

  - It was found that the methods from the Dir class did     not properly handle strings containing the NULL byte.
    An attacker, able to inject NULL bytes in a path, could     possibly trigger an unspecified behavior of the ruby     script.(CVE-2018-8780)

  - Ruby 1.9.3 before patchlevel 286 and 2.0 before     revision r37068 allows context-dependent attackers to     bypass safe-level restrictions and modify untainted     strings via the (1) exc_to_s or (2) name_err_to_s API     function, which marks the string as tainted, a     different vulnerability than CVE-2012-4466. NOTE: this     issue might exist because of a CVE-2011-1005     regression.(CVE-2012-4464)

  - An issue was discovered in the OpenSSL library in Ruby     before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2,     and 2.6.x before 2.6.0-preview3. When two     OpenSSL::X509::Name objects are compared using ==,     depending on the ordering, non-equal objects may return     true. When the first argument is one character longer     than the second, or the second argument contains a     character that is one less than a character in the same     position of the first argument, the result of == will     be true. This could be leveraged to create an     illegitimate certificate that may be accepted as     legitimate and then used in signing or encryption     operations.(CVE-2018-16395)

  - An issue was discovered in Ruby before 2.3.8, 2.4.x     before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before     2.6.0-preview3. It does not taint strings that result     from unpacking tainted strings with some     formats.(CVE-2018-16396)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Solaris system is missing necessary patches to address security updates :

  - Algorithmic complexity vulnerability in     Gem::Version::VERSION_PATTERN in lib/     rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24     through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before     2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows     remote attackers to cause a denial of service (CPU     consumption) via a crafted gem version that triggers a     large amount of backtracking in a regular expression.
    (CVE-2013-4287)

  - Algorithmic complexity vulnerability in     Gem::Version::ANCHORED_VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.2,     1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x     before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression. NOTE: this issue is due to an incomplete fix     for CVE-2013-4287. (CVE-2013-4363)

The remote Solaris system is missing necessary patches to address security updates :

  - Heap-based buffer overflow in Ruby 1.8, 1.9 before     1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0     preview2, and trunk before revision 43780 allows     context-dependent attackers to cause a denial of service     (segmentation fault) and possibly execute arbitrary code     via a string that is converted to a floating point     value, as demonstrated using (1) the to_f method or (2)     JSON.parse. (CVE-2013-4164)

  - Algorithmic complexity vulnerability in     Gem::Version::VERSION_PATTERN in lib/     rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24     through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before     2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows     remote attackers to cause a denial of service (CPU     consumption) via a crafted gem version that triggers a     large amount of backtracking in a regular expression.
    (CVE-2013-4287)

  - Algorithmic complexity vulnerability in     Gem::Version::ANCHORED_VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.2,     1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x     before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression. NOTE: this issue is due to an incomplete fix     for CVE-2013-4287. (CVE-2013-4363)

ruby19 was updated to fix the following security issues :

  - fix CVE-2013-2065: Object taint bypassing in DL and     Fiddle (bnc#843686) The file CVE-2013-2065.patch     contains the patch

  - fix CVE-2013-4287 CVE-2013-4363: ruby19: Algorithmic     complexity vulnerability (bnc#837457) The file     CVE-2013-4287-4363.patch contains the patch

According to its self-reported version number, the Puppet Enterprise 3.x install on the remote host is prior to 3.1.1.  As a result, it is reportedly affected by multiple vulnerabilities :

  - An input validation error exists related to the     included Ruby version, handling string to floating point     conversions that could allow denial of service attacks     or arbitrary code execution. (CVE-2013-4164)

  - An error exists related to the included RubyGems     version and 'gem build', 'Gem::Package', and     'Gem::PackageTask' API calls that could allow denial     of service attacks. (CVE-2013-4363)

  - An error exists in the 'i18n' gem for Ruby that could     allow cross-site scripting attacks. (CVE-2013-4491)

  - An error exists related to handling temporary files     that could allow a local attacker to overwrite files by     using a symlink attack. (CVE-2013-4969)

  - An error exists related to the included Ruby on Rails,     'Action View', and handling certain headers that could     allow denial of service attacks. (CVE-2013-6414)

  - An input validation error exists related to the     included Ruby on Rails and the 'unit' parameter in the     'number_to_currency' helper that could allow cross-site     scripting attacks. (CVE-2013-6415)

  - An input validation error exists related to the     included Ruby on Rails, JSON parameter parsing and SQL     queries that could allow SQL injection attacks.
    (CVE-2013-6417)

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287 .

Ruby Gem developers report :

The patch for CVE-2013-4363 was insufficiently verified so the combined regular expression for verifying gem version remains vulnerable following CVE-2013-4363.

RubyGems validates versions with a regular expression that is vulnerable to denial of service due to backtracking. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption.

ID	Name	Product	Family	Severity
124931	EulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428)	Nessus	Huawei Local Security Checks	critical
80760	Oracle Solaris Third-Party Patch Update : rubygems (multiple_cryptographic_issues_vulnerabilities_in1)	Nessus	Solaris Local Security Checks	medium
80757	Oracle Solaris Third-Party Patch Update : ruby (multiple_vulnerabilities_in_ruby1)	Nessus	Solaris Local Security Checks	medium
80756	Oracle Solaris Third-Party Patch Update : ruby (multiple_cryptographic_issues_vulnerabilities_in)	Nessus	Solaris Local Security Checks	medium
75178	openSUSE Security Update : ruby19 (openSUSE-SU-2013:1611-1)	Nessus	SuSE Local Security Checks	medium
73132	Puppet Enterprise 3.x < 3.1.1 Multiple Vulnerabilities	Nessus	CGI abuses	medium
72746	Amazon Linux AMI : ruby19 (ALAS-2014-290)	Nessus	Amazon Linux Local Security Checks	medium
71071	FreeBSD : ruby-gems -- Algorithmic Complexity Vulnerability (742eb9e4-e3cb-4f5a-b94e-0e9a39420600)	Nessus	FreeBSD Local Security Checks	medium
70567	Amazon Linux AMI : rubygems (ALAS-2013-231)	Nessus	Amazon Linux Local Security Checks	medium

Detections

Analytics

CVE-2013-4363

medium

Tenable Plugins

critical

medium

medium

medium

medium

medium

medium

medium

medium