[Japanese]

JVNDB-2005-000396

Ruby XMLRPC Arbitrary Command Execution Vulnerability

Overview

utils.rb in The Ruby XMLRPC server sets an insecure default value for the public_instance_methods function, which could cause the highly privileged function to be exposed.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 7.5 (High) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Ruby
  • Ruby 1.8
Turbolinux, Inc.
  • Turbolinux Server 10
Red Hat, Inc.
  • Red Hat Enterprise Linux 4 (as)
  • Red Hat Enterprise Linux 4 (es)
  • Red Hat Enterprise Linux 4 (ws)
  • Red Hat Enterprise Linux Desktop 4.0

Impact

An attacker could execute arbitrary command on the system running Ruby XMLRPC.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Ruby Turbolinux, Inc. Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2005-1992
References

  1. National Vulnerability Database (NVD) : CVE-2005-1992
  2. US-CERT Vulnerability Note : VU#684913
  3. Secunia Advisory : SA15767
  4. SecurityFocus : 14016
  5. SecurityTracker : 1014253
  6. FrSIRT Advisories : FrSIRT/ADV-2005-0833
Revision History

  • [2008/05/21]
      Web page published