Lucene search

[email protected]CVE-2008-2663

HistoryJun 24, 2008 - 7:41 p.m.

CVE-2008-2663

2008-06-2419:41:00

CWE-190

[email protected]

web.nvd.nist.gov

cve-2008-2663

integer overflows

ruby 1.8.x

denial of service

arbitrary code execution

nvd

7.1 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.9%

JSON

Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.

CPENameOperatorVersion
ruby-lang:rubyruby-lang rubyle1.8.4
ruby-lang:rubyruby-lang rubylt1.8.5.231
ruby-lang:rubyruby-lang rubylt1.8.6.230
ruby-lang:rubyruby-lang rubylt1.8.7.22
debian:debian_linuxdebian debian linuxeq4.0
canonical:ubuntu_linuxcanonical ubuntu linuxeq6.06
canonical:ubuntu_linuxcanonical ubuntu linuxeq7.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq7.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.04

CPE	Name	Operator	Version
ruby-lang:ruby	ruby-lang ruby	le	1.8.4
ruby-lang:ruby	ruby-lang ruby	lt	1.8.5.231
ruby-lang:ruby	ruby-lang ruby	lt	1.8.6.230
ruby-lang:ruby	ruby-lang ruby	lt	1.8.7.22
debian:debian_linux	debian debian linux	eq	4.0
canonical:ubuntu_linux	canonical ubuntu linux	eq	6.06
canonical:ubuntu_linux	canonical ubuntu linux	eq	7.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	7.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	8.04

References

blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/

lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html

secunia.com/advisories/30802

secunia.com/advisories/30831

secunia.com/advisories/30867

secunia.com/advisories/30875

secunia.com/advisories/30894

secunia.com/advisories/31062

secunia.com/advisories/31090

secunia.com/advisories/31181

secunia.com/advisories/31256

secunia.com/advisories/31687

secunia.com/advisories/33178

security.gentoo.org/glsa/glsa-200812-17.xml

slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562

support.apple.com/kb/HT2163

weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities

wiki.rpath.com/wiki/Advisories:rPSA-2008-0206

www.debian.org/security/2008/dsa-1612

www.debian.org/security/2008/dsa-1618

www.mandriva.com/security/advisories?name=MDVSA-2008:140

www.mandriva.com/security/advisories?name=MDVSA-2008:141

www.mandriva.com/security/advisories?name=MDVSA-2008:142

www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/

www.redhat.com/support/errata/RHSA-2008-0561.html

www.ruby-forum.com/topic/157034

www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

www.securityfocus.com/archive/1/493688/100/0/threaded

www.securityfocus.com/bid/29903

www.securitytracker.com/id?1020347

www.ubuntu.com/usn/usn-621-1

www.vupen.com/english/advisories/2008/1907/references

www.vupen.com/english/advisories/2008/1981/references

www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

exchange.xforce.ibmcloud.com/vulnerabilities/43346

issues.rpath.com/browse/RPL-2626

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10524

www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html

7.1 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.9%

JSON

Related for CVE-2008-2663

prion5 ubuntucve4 cve4 rubygems4 openvas41 securityvulns2 nessus25 slackware1 ubuntu1 seebug1 redhat2 osv2 oraclelinux2 centos3 fedora7 debian2 gentoo1