PT-2018-3277 · Ruby+5 · Ruby+5

Ooooooo_Q

Publicado

2018-03-28

Atualizado

2020-06-09

CVE-2018-8779

CVSS v2.0

7.8

Alta

Vetor

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.2.10 Ruby versions 2.3.x prior to 2.3.7 Ruby versions 2.4.x prior to 2.4.4 Ruby versions 2.5.x prior to 2.5.1 Ruby version 2.6.0-preview1

Description The issue arises from insufficient input validation in the UNIXServer.open and UNIXSocket.open methods. This may allow an attacker to connect to an unintended socket, potentially bypassing security restrictions.

Recommendations For Ruby versions prior to 2.2.10, update to version 2.2.10 or later. For Ruby versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later. For Ruby versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later. For Ruby versions 2.5.x prior to 2.5.1, update to version 2.5.1 or later. For Ruby version 2.6.0-preview1, update to a later version.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

ALT-PU-2018-1522

BDU:2019-04473

CESA-2019_2028

CVE-2018-8779

DLA-1358-1

DLA-1359-1

DLA-1421-1

DSA-4259-1

MGASA-2018-0411

OPENSUSE-SU-2019:1771-1

OPENSUSE-SU-2019_1771-1

RHSA-2018:3729

RHSA-2018:3730

RHSA-2018:3731

RHSA-2019:2028

RHSA-2019_2028

SUSE-SU-2019:1804-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-3626-1

Produtos afetados

Alt Linux

Centos

Red Hat

Ruby

Suse

Ubuntu

PT-2018-3277 · Ruby+5 · Ruby+5

CVE-2018-8779

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 295