CVE-2011-1004

2011-03-0220:00:00

CWE-59

[email protected]

web.nvd.nist.gov

cve-2011-1004

ruby

security

vulnerability

symlink attack

nvd

5.8 Medium

AI Score

Confidence

Low

6.3 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:N/I:C/A:C

0.0004 Low

EPSS

Percentile

9.3%

JSON

The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.

CPENameOperatorVersion
ruby-lang:rubyruby-lang rubyeq1.9.3
ruby-lang:rubyruby-lang rubyeq1.9.2
ruby-lang:rubyruby-lang rubyeq1.9.1
ruby-lang:rubyruby-lang rubyeq1.8.7
ruby-lang:rubyruby-lang rubyeq1.8.8
ruby-lang:rubyruby-lang rubyeq1.8.6

CPE	Name	Operator	Version
ruby-lang:ruby	ruby-lang ruby	eq	1.9.3
ruby-lang:ruby	ruby-lang ruby	eq	1.9.2
ruby-lang:ruby	ruby-lang ruby	eq	1.9.1
ruby-lang:ruby	ruby-lang ruby	eq	1.8.7
ruby-lang:ruby	ruby-lang ruby	eq	1.8.8
ruby-lang:ruby	ruby-lang ruby	eq	1.8.6