Lucene search

K
osvGoogleOSV:DLA-263-1
HistoryJul 01, 2015 - 12:00 a.m.

ruby1.9.1 - security update

2015-07-0100:00:00
Google
osv.dev
18

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.02 Low

EPSS

Percentile

88.9%

Two vulnerabilities were identified in the Ruby language interpreter,
version 1.9.1.

  • CVE-2012-5371
    Jean-Philippe Aumasson identified that Ruby computed hash values
    without properly restricting the ability to trigger hash collisions
    predictably, allowing context-dependent attackers to cause a denial
    of service (CPU consumption). This is a different vulnerability than
    CVE-2011-4815.
  • CVE-2013-0269
    Thomas Hollstegge and Ben Murphy found that the JSON gem for Ruby
    allowed remote attackers to cause a denial of service (resource
    consumption) or bypass the mass assignment protection mechanism via
    a crafted JSON document that triggers the creation of arbitrary Ruby
    symbols or certain internal objects.

For the squeeze distribution, theses vulnerabilities have been fixed in
version 1.9.2.0-2+deb6u5 of ruby1.9.1. We recommend that you upgrade
your ruby1.9.1 package.

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.02 Low

EPSS

Percentile

88.9%