[Japanese]

JVNDB-2005-000538

Ruby vulnerability allowing to bypass safe level 4 as a sandbox

Overview

Ruby is a object-oriented scripting language that supports execution of untrusted code with two mechanisms: "object taint" and "safe level". Ruby contains a vulnerability that may allow an attacker to execute an arbitrary script by bypassing the "safe level" checks.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.4 (Medium) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Ruby
  • Ruby 1.8.2 and earlier
  • Ruby 1.6.8 and earlier
  • Ruby Development versions(1.9.0) 2005-09-01 and earlier
MIRACLE LINUX CORPORATION
  • Asianux Server 3.0
  • Asianux Server 3.0 (x86-64)
  • Asianux Server 4.0
  • Asianux Server 4.0 (x86-64)
Red Hat, Inc.
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 4 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 4 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux 4 (ws)

Impact

An attacker could possibly execute an arbitrary script.
Solution

Vendor Information

Ruby MIRACLE LINUX CORPORATION
  • MIRACLE LINUX Update Information : 224 (Japanese)
Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2005-2337
References

  1. JVN : JVN#62914675
  2. National Vulnerability Database (NVD) : CVE-2005-2337
  3. US-CERT Vulnerability Note : VU#160012
  4. SecurityFocus : 14909
Revision History

  • [2008/05/21]
      Web page published