[Japanese]

JVNDB-2006-000853

tDiary arbitrary Ruby script execution vulnerability

Overview

tDiary is weblog software maintained by the tDiary development project.
tDiary contains a vulnerability which allows a remote attacker to execute arbitrary Ruby scripts on a vulnerable system.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


tDiary development project
  • tDiary 2.0.3
  • tDiary 2.1.4.20061127

Impact

Depending on tDiary's configuration, an arbitrary Ruby script could be executed on the web server with tDiary's execution privilege. This could lead to information leak or erasure, password compromise, and contents alteration, etc.
Solution

Vendor Information

tDiary development project
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2006-6852
References

  1. JVN : JVN#31185550
  2. National Vulnerability Database (NVD) : CVE-2006-6852
  3. Secunia Advisory : SA23465
  4. SecurityFocus : 21811
  5. FrSIRT Advisories : FrSIRT/ADV-2006-5201
Revision History

  • [2008/05/21]
      Web page published

Date Public2006/12/28
Date First Published2008/05/21
Date Last Updated2008/05/21