CVE-2008-1145

MEDIUM severity · CVSS 5 · Path traversal

5CVSS MEDIUM

Summary

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges required—

User interaction—

Confidentiality impact—

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)60%

AV:N/AC:L/Au:N/C:P/I:N/A:N

Affected products we track (1)

Ruby

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://secunia.com/advisories/29232Advisory
http://secunia.com/advisories/29357Advisory
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.htmlAdvisory
http://secunia.com/advisories/29536
http://secunia.com/advisories/30802
http://secunia.com/advisories/31687
http://secunia.com/advisories/32371