Lucene search

K
hackeroneUsaH1:235842
HistoryJun 02, 2017 - 2:29 p.m.

Ruby: Ruby 2.3.x and 2.2.x still bundle DoS vulnerable verision of libYAML

2017-06-0214:29:02
usa
hackerone.com
9

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.017 Low

EPSS

Percentile

86.1%

libYAML 0.1.6 (and 0.1.5) has a DoS vulnerablitity known as CVE-2014-9130.
Now Ruby 2.4.x bundles fixed version 0.1.7, but 2.3.x and 2.2.x still bundle 0.1.6.

Note that I’m the maintainer of Ruby 2.3.x and 2.2.x.
Therefore, this report is a kind of remainder.

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.017 Low

EPSS

Percentile

86.1%

Related for H1:235842