CVE-2011-1005

2011-03-0200:00:00

ubuntu.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.011 Low

EPSS

Percentile

84.1%

JSON

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through
1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify
strings via the Exception#to_s method, as demonstrated by changing an
intended pathname.

Bugs

Notes

Author	Note
tyhicks	potential test case in ruby-lang.org advisory The fix was incomplete, see CVE-2012-4481

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchruby1.8< 1.8.7.249-2ubuntu0.1UNKNOWN
ubuntu10.10noarchruby1.8< 1.8.7.299-2ubuntu0.1UNKNOWN
ubuntu11.04noarchruby1.8< 1.8.7.302-2ubuntu0.1UNKNOWN
ubuntu12.04noarchruby1.9.1< 1.9.3.0-1ubuntu2.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	ruby1.8	< 1.8.7.249-2ubuntu0.1	UNKNOWN
ubuntu	10.10	noarch	ruby1.8	< 1.8.7.299-2ubuntu0.1	UNKNOWN
ubuntu	11.04	noarch	ruby1.8	< 1.8.7.302-2ubuntu0.1	UNKNOWN
ubuntu	12.04	noarch	ruby1.9.1	< 1.9.3.0-1ubuntu2.2	UNKNOWN