CVE-2008-2662 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2008-2662

CVE-2008-2662

June 24, 2008

Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.

Related Resources (40)

http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

http://www.mandriva.com/security/advisories?name=MDVSA-2008:142

http://www.securityfocus.com/bid/29903

http://secunia.com/advisories/31687

http://www.ubuntu.com/usn/usn-621-1

http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/

http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities

http://secunia.com/advisories/31181

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601

http://www.debian.org/security/2008/dsa-1618

http://www.mandriva.com/security/advisories?name=MDVSA-2008:140

http://secunia.com/advisories/30894

http://secunia.com/advisories/31256

http://www.securitytracker.com/id?1020347

http://www.mandriva.com/security/advisories?name=MDVSA-2008:141

http://secunia.com/advisories/31062

http://support.apple.com/kb/HT2163

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562

http://www.redhat.com/support/errata/RHSA-2008-0561.html

http://secunia.com/advisories/30867

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206

http://secunia.com/advisories/30802

http://www.ruby-forum.com/topic/157034

https://issues.rpath.com/browse/RPL-2626

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

http://www.vupen.com/english/advisories/2008/1981/references

http://secunia.com/advisories/33178

http://www.vupen.com/english/advisories/2008/1907/references

http://www.debian.org/security/2008/dsa-1612

http://secunia.com/advisories/30875

https://people.canonical.com/~ubuntu-security/cve/CVE-2008-2662

http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/

http://www.securityfocus.com/archive/1/493688/100/0/threaded

http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html

https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html

http://security.gentoo.org/glsa/glsa-200812-17.xml

http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/43345

http://secunia.com/advisories/30831

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

10

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

EPSS

Base Score:

2.77