[Japanese]

JVNDB-2006-000753

Ruby cgi.rb Denial of Service Vulnerability

Overview

The cig.rb class in Ruby cannot handle HTTP requests with MIME multipart data set with an invalid boundry, which could trigger an infinate loop and result in consuming a large amount of CPU respurces.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


Ruby
  • Ruby 1.8.5 and earlier
  • Ruby Development Release (1.9x) 2006/09/23 and earlier
Turbolinux, Inc.
  • Turbolinux 10_f
  • Turbolinux Appliance Server 2.0
  • Turbolinux Desktop 10
  • Turbolinux FUJI
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Server 10
  • Turbolinux Server 10 (x64)
  • Turbolinux Server 8
  • Turbolinux Home
MIRACLE LINUX CORPORATION
  • Asianux Server 3.0
  • Asianux Server 3.0 (x86-64)
  • Asianux Server 4.0
  • Asianux Server 4.0 (x86-64)
Red Hat, Inc.
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 4 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 4 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux 4 (ws)
  • Red Hat Enterprise Linux Desktop 3.0
  • Red Hat Enterprise Linux Desktop 4.0

Impact

An attacker could cause a Denial of Service (DoS) on the Web services using cgi.rb.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Ruby Turbolinux, Inc. MIRACLE LINUX CORPORATION
  • MIRACLE LINUX Update Information : ruby (V3.0) (Japanese)
  • MIRACLE LINUX Update Information : ruby (V4.0) (Japanese)
Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2006-5467
References

  1. National Vulnerability Database (NVD) : CVE-2006-5467
  2. Secunia Advisory : SA13123
  3. SecurityFocus : 20777
  4. FrSIRT Advisories : FrSIRT/ADV-2006-4244
Revision History

  • [2008/05/21]
      Web page published

Date Public2006/10/28
Date First Published2008/05/21
Date Last Updated2008/05/21