// For flags

CVE-2008-2662

ruby: Integer overflows in rb_str_buf_append()

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.

Múltiples desbordamientos de entero en la función rb_str_buf_append de Ruby 1.8.4 y anteriores, 1.8.5 antes de 1.8.5-p231, 1.8.6 anterior a 1.8.6-p230, 1.8.7 anterior a 1.8.7-p22 y 1.9.0 antes de 1.9.0-2 permite a atacantes dependientes del contexto ejecutar código de su elección o provocar una denegación de servicio mediante vectores desconocidos que disparan una corrupción de memoria, un problema distinto a CVE-2008-2663, CVE-2008-2664 y CVE-2008-2725. NOTA: a fecha de 24-06-2008, ha habido un uso inconsistente de múltiples identificadores CVE relacionados con Ruby. Esta descripción CVE debe ser tomada como autorizado, aunque probablemente cambie.

Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1).%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3). (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption. Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant. Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. The updated packages have been patched to fix these issues.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-06-10 CVE Reserved
  • 2008-06-24 CVE Published
  • 2024-08-07 CVE Updated
  • 2025-06-24 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-189: Numeric Errors
  • CWE-190: Integer Overflow or Wraparound
CAPEC
References (41)
URL Tag Source
http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue Third Party Advisory
http://secunia.com/advisories/30802 Third Party Advisory
http://secunia.com/advisories/30831 Third Party Advisory
http://secunia.com/advisories/30867 Third Party Advisory
http://secunia.com/advisories/30875 Third Party Advisory
http://secunia.com/advisories/30894 Third Party Advisory
http://secunia.com/advisories/31062 Third Party Advisory
http://secunia.com/advisories/31181 Third Party Advisory
http://secunia.com/advisories/31256 Third Party Advisory
http://secunia.com/advisories/31687 Third Party Advisory
http://secunia.com/advisories/33178 Third Party Advisory
http://support.apple.com/kb/HT2163 Third Party Advisory
http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities Third Party Advisory
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206 Broken Link
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities Third Party Advisory
http://www.ruby-forum.com/topic/157034 Third Party Advisory
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html Third Party Advisory
http://www.securityfocus.com/archive/1/493688/100/0/threaded Mailing List
http://www.securityfocus.com/bid/29903 Third Party Advisory
http://www.securitytracker.com/id?1020347 Third Party Advisory
http://www.vupen.com/english/advisories/2008/1907/references Third Party Advisory
http://www.vupen.com/english/advisories/2008/1981/references Third Party Advisory
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/43345 Third Party Advisory
https://issues.rpath.com/browse/RPL-2626 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601 Signature
URL Date SRC
URL Date SRC
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities 2018-11-01
URL Date SRC
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html 2018-11-01
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html 2018-11-01
http://security.gentoo.org/glsa/glsa-200812-17.xml 2018-11-01
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562 2018-11-01
http://www.debian.org/security/2008/dsa-1612 2018-11-01
http://www.debian.org/security/2008/dsa-1618 2018-11-01
http://www.mandriva.com/security/advisories?name=MDVSA-2008:140 2018-11-01
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 2018-11-01
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 2018-11-01
http://www.redhat.com/support/errata/RHSA-2008-0561.html 2018-11-01
http://www.ubuntu.com/usn/usn-621-1 2018-11-01
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html 2018-11-01
https://access.redhat.com/security/cve/CVE-2008-2662 2008-07-14
https://bugzilla.redhat.com/show_bug.cgi?id=450821 2008-07-14
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 <= 1.8.4
Search vendor "Ruby-lang" for product "Ruby" and version " <= 1.8.4"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 > 1.8.5 < 1.8.5.231
Search vendor "Ruby-lang" for product "Ruby" and version " > 1.8.5 < 1.8.5.231"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 >= 1.8.6 < 1.8.6.230
Search vendor "Ruby-lang" for product "Ruby" and version " >= 1.8.6 < 1.8.6.230"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 >= 1.8.7 < 1.8.7.22
Search vendor "Ruby-lang" for product "Ruby" and version " >= 1.8.7 < 1.8.7.22"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 >= 1.9.0 < 1.9.0.2
Search vendor "Ruby-lang" for product "Ruby" and version " >= 1.9.0 < 1.9.0.2"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 4.0
Search vendor "Debian" for product "Debian Linux" and version "4.0"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 6.06
Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 7.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "7.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 7.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "7.10"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 8.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"
lts
Affected