CVE-2008-2664 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2008-2664

CVE-2008-2664

June 24, 2008

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.

Related Resources (41)

http://secunia.com/advisories/30875

http://www.mandriva.com/security/advisories?name=MDVSA-2008:141

http://www.debian.org/security/2008/dsa-1618

http://secunia.com/advisories/30831

http://www.vupen.com/english/advisories/2008/1907/references

http://www.securitytracker.com/id?1020347

http://www.mandriva.com/security/advisories?name=MDVSA-2008:140

http://secunia.com/advisories/31062

http://secunia.com/advisories/33178

https://people.canonical.com/~ubuntu-security/cve/CVE-2008-2664

http://www.debian.org/security/2008/dsa-1612

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562

http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html

http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities

https://exchange.xforce.ibmcloud.com/vulnerabilities/43348

http://secunia.com/advisories/31090

http://secunia.com/advisories/31181

http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206

http://secunia.com/advisories/30894

http://security.gentoo.org/glsa/glsa-200812-17.xml

http://secunia.com/advisories/31687

http://www.ruby-forum.com/topic/157034

http://www.securityfocus.com/bid/29903

http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html

http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/

http://www.securityfocus.com/archive/1/493688/100/0/threaded

http://secunia.com/advisories/30867

http://secunia.com/advisories/31256

http://www.ubuntu.com/usn/usn-621-1

http://secunia.com/advisories/30802

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9646

https://issues.rpath.com/browse/RPL-2626

http://support.apple.com/kb/HT2163

http://www.mandriva.com/security/advisories?name=MDVSA-2008:142

http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

http://www.redhat.com/support/errata/RHSA-2008-0561.html

http://www.vupen.com/english/advisories/2008/1981/references

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

NONE

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

CVSS v2

Base Score:

7.8

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

EPSS

Base Score:

6.26