7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
ruby is vulnerable to denial of service. A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/391606
jvn.jp/en/jp/JVN90615481/index.html
jvndb.jvn.jp/ja/contents/2012/JVNDB-2012-000066.html
lists.apple.com/archives/security-announce/2012/May/msg00001.html
rhn.redhat.com/errata/RHSA-2012-0069.html
rhn.redhat.com/errata/RHSA-2012-0070.html
secunia.com/advisories/47405
secunia.com/advisories/47822
support.apple.com/kb/HT5281
www.kb.cert.org/vuls/id/903934
www.nruns.com/_downloads/advisory28122011.pdf
www.ocert.org/advisories/ocert-2011-003.html
www.ruby-lang.org/en/news/2011/12/28/denial-of-service-attack-was-found-for-rubys-hash-algorithm/
www.securitytracker.com/id?1026474
access.redhat.com/errata/RHSA-2012:0069
access.redhat.com/security/updates/classification/#moderate
exchange.xforce.ibmcloud.com/vulnerabilities/72020