Ruby library contains vulnerable default value

2005-10-03T00:00:00
ID VU:684913
Type cert
Reporter CERT
Modified 2005-10-18T00:00:00

Description

Overview

Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code.

Description

Ruby is vulnerable to an attack on applications using the XML-RPC services via XMLRPC.iPIMethods, due to an insecure default value in utils.rb. Any program or application using the XML-RPC services provided by XMLRPC.iPIMethods may be affected. Due to the vulnerability occurring in code that is typically used to provide remote services, this may allow a remote attacker to execute arbitrary code.


Impact

A remote, unauthenticated attacker may be able to execute arbitrary code.


Solution

Apply an update

Please see the Ruby XMLRPC.iPIMethods Vulnerability note for more information, or contact your vendor for an update.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Red Hat, Inc.| | -| 18 Oct 2005
Ruby| | -| 03 Oct 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://secunia.com/advisories/15767/>
  • <http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237>
  • <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064>
  • <http://www.securityfocus.com/bid/14016>
  • <https://rhn.redhat.com/errata/RHSA-2005-543.html>
  • <http://www.auscert.org.au/5356>
  • <http://www.auscert.org.au/5509>

Credit

Thanks to Nobuhiro IMAI for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

  • CVE IDs: CAN-2005-1992
  • Date Public: 20 Jun 2005
  • Date First Published: 03 Oct 2005
  • Date Last Updated: 18 Oct 2005
  • Severity Metric: 9.11
  • Document Revision: 19