tDiary arbitrary Ruby script execution vulnerability


tDiary is weblog software maintained by the tDiary development project.
tDiary contains a vulnerability which allows a remote attacker to execute arbitrary Ruby scripts on a vulnerable system.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

tDiary development project
  • tDiary 2.0.3
  • tDiary


Depending on tDiary's configuration, an arbitrary Ruby script could be executed on the web server with tDiary's execution privilege. This could lead to information leak or erasure, password compromise, and contents alteration, etc.

Vendor Information

tDiary development project
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2006-6852

  1. JVN : JVN#31185550
  2. National Vulnerability Database (NVD) : CVE-2006-6852
  3. Secunia Advisory : SA23465
  4. SecurityFocus : 21811
  5. FrSIRT Advisories : FrSIRT/ADV-2006-5201
Revision History

  • [2008/05/21]
      Web page published