CVE-2009-5147
HIGH severity · CVSS 7.3 · Improper input validation
7.3CVSS HIGH
Summary
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactLow
Integrity impactLow
Availability impactLow
Exploit probability (EPSS)56%
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://seclists.org/oss-sec/2015/q3/222 ↗
Additional information
- NVD record
- http://seclists.org/oss-sec/2015/q3/222Patch
- https://bugzilla.redhat.com/show_bug.cgi?id=1248935Patch
- https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215bPatch
- http://seclists.org/oss-sec/2015/q3/222Patch
- https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/Advisory
- http://www.securityfocus.com/bid/76060Advisory
- https://access.redhat.com/errata/RHSA-2018:0583
- http://www.securityfocus.com/bid/76060Advisory