// For flags

CVE-2008-2725

ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.

Un desbordamiento de enteros en la función (1) rb_ary_splice en Ruby 1.8.4 y versiones anteriores, 1.8.5 anterior a versión 1.8.5-p231, 1.8.6 anterior a versión 1.8.6-p230 y 1.8.7 anterior a versión 1.8.7-p22; y (2) la función rb_ary_replace en 1.6.x permite a los atacantes dependiendo del contexto desencadenar una corrupción en la memoria por medio de vectores no especificados, también se conoce como la variante "REALLOC_N", un problema diferente a los CVE-2008-2662, CVE-2008-2663 y CVE-2008-2664. NOTA: a partir de 20080624, ha habido un uso incoherente de varios identificadores CVE relacionados con Ruby. La descripción del CVE debe considerarse autorizada, aunque es probable que cambie.

Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1).%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3). (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption. Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant. Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. The updated packages have been patched to fix these issues.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-06-16 CVE Reserved
  • 2008-06-24 CVE Published
  • 2024-08-07 CVE Updated
  • 2025-04-26 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-189: Numeric Errors
  • CWE-190: Integer Overflow or Wraparound
CAPEC
References (45)
URL Tag Source
http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue Third Party Advisory
http://secunia.com/advisories/30802 Third Party Advisory
http://secunia.com/advisories/30831 Third Party Advisory
http://secunia.com/advisories/30867 Third Party Advisory
http://secunia.com/advisories/30875 Third Party Advisory
http://secunia.com/advisories/30894 Third Party Advisory
http://secunia.com/advisories/31062 Third Party Advisory
http://secunia.com/advisories/31090 Third Party Advisory
http://secunia.com/advisories/31181 Third Party Advisory
http://secunia.com/advisories/31256 Third Party Advisory
http://secunia.com/advisories/31687 Third Party Advisory
http://secunia.com/advisories/33178 Third Party Advisory
http://support.apple.com/kb/HT2163 Third Party Advisory
http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities Third Party Advisory
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206 Broken Link
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities Third Party Advisory
http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.html Mailing List
http://www.ruby-forum.com/topic/157034 Third Party Advisory
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html Third Party Advisory
http://www.securityfocus.com/archive/1/493688/100/0/threaded Mailing List
http://www.securityfocus.com/bid/29903 Third Party Advisory
http://www.securitytracker.com/id?1020347 Third Party Advisory
http://www.vupen.com/english/advisories/2008/1907/references Third Party Advisory
http://www.vupen.com/english/advisories/2008/1981/references Third Party Advisory
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html Broken Link
https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727 Issue Tracking
https://exchange.xforce.ibmcloud.com/vulnerabilities/43350 Third Party Advisory
https://issues.rpath.com/browse/RPL-2626 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9606 Signature
URL Date SRC
URL Date SRC
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities 2018-11-01
URL Date SRC
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html 2018-11-01
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html 2018-11-01
http://security.gentoo.org/glsa/glsa-200812-17.xml 2018-11-01
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562 2018-11-01
http://www.debian.org/security/2008/dsa-1612 2018-11-01
http://www.debian.org/security/2008/dsa-1618 2018-11-01
http://www.mandriva.com/security/advisories?name=MDVSA-2008:140 2018-11-01
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 2018-11-01
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 2018-11-01
http://www.redhat.com/support/errata/RHSA-2008-0561.html 2018-11-01
http://www.ubuntu.com/usn/usn-621-1 2018-11-01
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html 2018-11-01
https://access.redhat.com/security/cve/CVE-2008-2725 2008-07-14
https://bugzilla.redhat.com/show_bug.cgi?id=451821 2008-07-14
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 <= 1.8.4
Search vendor "Ruby-lang" for product "Ruby" and version " <= 1.8.4"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 >= 1.8.5 < 1.8.5.231
Search vendor "Ruby-lang" for product "Ruby" and version " >= 1.8.5 < 1.8.5.231"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 >= 1.8.6 < 1.8.6.230
Search vendor "Ruby-lang" for product "Ruby" and version " >= 1.8.6 < 1.8.6.230"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 >= 1.8.7 < 1.8.7.22
Search vendor "Ruby-lang" for product "Ruby" and version " >= 1.8.7 < 1.8.7.22"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 4.0
Search vendor "Debian" for product "Debian Linux" and version "4.0"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 6.06
Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 7.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "7.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 7.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "7.10"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 8.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"
lts
Affected