CVE-2018-8778

Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.2.10 Ruby versions 2.3.x prior to 2.3.7 Ruby versions 2.4.x prior to 2.4.4 Ruby versions 2.5.x prior to 2.5.1 Ruby version 2.6.0-preview1

Description The issue is related to the String#unpack method in Ruby, where an attacker controlling the unpacking format can trigger a buffer under-read, resulting in a massive and controlled information disclosure. This is similar to format string vulnerabilities. The vulnerability can be exploited by a remote attacker to disclose protected information.

Recommendations For Ruby versions prior to 2.2.10, update to version 2.2.10 or later. For Ruby versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later. For Ruby versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later. For Ruby versions 2.5.x prior to 2.5.1, update to version 2.5.1 or later. For Ruby version 2.6.0-preview1, update to a later version. As a temporary workaround, consider restricting the use of the String#unpack method until a patch is available.