CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
77.9%
The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows
remote attackers to cause a denial of service (catastrophic regular
expression backtracking, resource consumption, or application crash) via a
crafted string.
Author | Note |
---|---|
sbeattie | fixed in 1.9.3 and newer. ruby1.9.1 packages are not affected because they are all ruby 1.9.3. |
www.openwall.com/lists/oss-security/2015/07/13/5
github.com/ruby/www.ruby-lang.org/issues/817
launchpad.net/bugs/cve/CVE-2014-6438
nvd.nist.gov/vuln/detail/CVE-2014-6438
security-tracker.debian.org/tracker/CVE-2014-6438
www.cve.org/CVERecord?id=CVE-2014-6438
www.ruby-lang.org/en/news/2014/08/19/ruby-1-9-2-p330-released/
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
77.9%