CVE-2008-3656

2008-08-1301:41:00

CWE-399

[email protected]

web.nvd.nist.gov

vulnerability

webrick

httputils

ruby

denial of service

cpu consumption

crafted http request

nvd

6.2 Medium

AI Score

Confidence

High

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.107 Low

EPSS

Percentile

95.0%

JSON

Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.

CPENameOperatorVersion
ruby-lang:rubyruby-lang rubyeq1.8.3
ruby-lang:rubyruby-lang rubyeq1.8.2
ruby-lang:rubyruby-lang rubyeq1.8.4
ruby-lang:rubyruby-lang rubyeq1.8.1
ruby-lang:rubyruby-lang rubyeq1.8.7
ruby-lang:rubyruby-lang rubyeq1.9.0
ruby-lang:rubyruby-lang rubyeq1.8.6
ruby-lang:rubyruby-lang rubyeq1.8.5
ruby-lang:rubyruby-lang rubyeq1.8.0
ruby-lang:rubyruby-lang rubyeq1.6.8

CPE	Name	Operator	Version
ruby-lang:ruby	ruby-lang ruby	eq	1.8.3
ruby-lang:ruby	ruby-lang ruby	eq	1.8.2
ruby-lang:ruby	ruby-lang ruby	eq	1.8.4
ruby-lang:ruby	ruby-lang ruby	eq	1.8.1
ruby-lang:ruby	ruby-lang ruby	eq	1.8.7
ruby-lang:ruby	ruby-lang ruby	eq	1.9.0
ruby-lang:ruby	ruby-lang ruby	eq	1.8.6
ruby-lang:ruby	ruby-lang ruby	eq	1.8.5
ruby-lang:ruby	ruby-lang ruby	eq	1.8.0
ruby-lang:ruby	ruby-lang ruby	eq	1.6.8