PT-2011-2809 · Ruby+1 · Ruby+1

Urabe Shyouhei

Published

2011-03-02

Updated

2013-08-13

CVE-2011-1005

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Ruby versions 1.8.6 through 1.8.6-420 Ruby versions 1.8.7 through 1.8.7-330 Ruby version 1.8.8dev

Description The safe-level feature in Ruby allows context-dependent attackers to modify strings via the Exception#to s method. This could be used to change an intended pathname.

Recommendations For Ruby versions 1.8.6 through 1.8.6-420, consider updating to a version outside of this range to mitigate the risk. For Ruby versions 1.8.7 through 1.8.7-330, consider updating to a version outside of this range to mitigate the risk. For Ruby version 1.8.8dev, consider avoiding the use of the Exception#to s method until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2011-1005

RHSA-2011:0908

RHSA-2011:0909

RHSA-2011:0910

RHSA-2011_0908

RHSA-2011_0909

RHSA-2011_0910

Affected Products

Red Hat

Ruby

PT-2011-2809 · Ruby+1 · Ruby+1

CVE-2011-1005

Weakness Enumeration

Related Identifiers

Affected Products

References · 32