Lucene search

GitHub Advisory DatabaseGHSA-WFWM-CHJ7-W59R

HistoryMar 05, 2018 - 6:29 p.m.

Ox gem stack overflow in sax_parse

2018-03-0518:29:32

CWE-125

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

28.7%

JSON

In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based buffer over-read in the read_from_str function in sax_buf.c when a crafted input is supplied to sax_parse.

Affected configurations

Vulners

Node

ox_projectoxRange<2.8.2ruby

CPENameOperatorVersion
oxlt2.8.2

CPE	Name	Operator	Version
	ox	lt	2.8.2

References

github.com/advisories/GHSA-wfwm-chj7-w59r

github.com/ohler55/ox/issues/195

github.com/rubysec/ruby-advisory-db/blob/master/gems/ox/CVE-2017-16229.yml

nvd.nist.gov/vuln/detail/CVE-2017-16229

rubygems.org/gems/ox/versions/2.8.1

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

28.7%

JSON

Related for GHSA-WFWM-CHJ7-W59R