CVE-2008-2663 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2008-2663

CVE-2008-2663

June 24, 2008

Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.

Related Resources (41)

https://people.canonical.com/~ubuntu-security/cve/CVE-2008-2663

http://secunia.com/advisories/30831

http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

http://secunia.com/advisories/31181

http://www.vupen.com/english/advisories/2008/1907/references

http://www.debian.org/security/2008/dsa-1618

http://www.securityfocus.com/archive/1/493688/100/0/threaded

http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities

http://www.vupen.com/english/advisories/2008/1981/references

http://secunia.com/advisories/30867

http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/43346

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

http://secunia.com/advisories/31062

http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/

http://support.apple.com/kb/HT2163

http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

http://secunia.com/advisories/30875

http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

http://www.mandriva.com/security/advisories?name=MDVSA-2008:141

http://secunia.com/advisories/31256

http://www.securitytracker.com/id?1020347

http://www.mandriva.com/security/advisories?name=MDVSA-2008:142

https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206

http://secunia.com/advisories/31090

http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562

http://www.redhat.com/support/errata/RHSA-2008-0561.html

http://www.ubuntu.com/usn/usn-621-1

http://www.mandriva.com/security/advisories?name=MDVSA-2008:140

http://secunia.com/advisories/30894

http://secunia.com/advisories/31687

http://www.ruby-forum.com/topic/157034

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10524

https://issues.rpath.com/browse/RPL-2626

http://secunia.com/advisories/30802

http://security.gentoo.org/glsa/glsa-200812-17.xml

http://secunia.com/advisories/33178

http://www.debian.org/security/2008/dsa-1612

http://www.securityfocus.com/bid/29903

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

10

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

Weakness Type (CWE)

Integer Overflow or Wraparound

EPSS

Base Score:

3.28