// For flags

CVE-2009-1904

ruby: DoS vulnerability in BigDecimal

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.

La librería BigDecimal en Ruby v1.8.6 anteriores p369 y v1.8.7, anteriores a p173 permite a los atacantes dependientes del contexto causar una denegación de servicio (caída de la aplicación) a través de un argumento de cadena de caracteres que representa un número largo, como se demuestra por un intento de conversión al tipo de dato Float.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-06-03 CVE Reserved
  • 2009-06-11 CVE Published
  • 2016-09-04 First Exploit
  • 2024-08-07 CVE Updated
  • 2025-04-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-189: Numeric Errors
CAPEC
References (34)
URL Tag Source
http://bugs.gentoo.org/show_bug.cgi?id=273213 X_refsource_confirm
http://groups.google.com/group/rubyonrails-security/msg/fad60751e2b9b4f6?dmode=source Mailing List
http://mail-index.netbsd.org/pkgsrc-changes/2009/06/10/msg024708.html Mailing List
http://osvdb.org/55031 Vdb Entry
http://secunia.com/advisories/35527 Third Party Advisory
http://secunia.com/advisories/35593 Third Party Advisory
http://secunia.com/advisories/35699 Third Party Advisory
http://secunia.com/advisories/35937 Third Party Advisory
http://secunia.com/advisories/37705 Third Party Advisory
http://support.apple.com/kb/HT4077 X_refsource_confirm
http://www.ruby-forum.com/topic/189071 X_refsource_confirm
http://www.securityfocus.com/bid/35278 Vdb Entry
http://www.securitytracker.com/id?1022371 Vdb Entry
http://www.vupen.com/english/advisories/2009/1563 Vdb Entry
https://bugs.launchpad.net/bugs/385436 X_refsource_confirm
https://bugs.launchpad.net/bugs/cve/2009-1904 X_refsource_confirm
https://exchange.xforce.ibmcloud.com/vulnerabilities/51032 Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9780 Signature
URL Date SRC
https://github.com/NZKoz/bigdecimal-segfault-fix 2016-09-04
http://redmine.ruby-lang.org/issues/show/794 2024-08-07
URL Date SRC
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689 2017-09-29
http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master 2017-09-29
http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby 2017-09-29
http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal 2017-09-29
URL Date SRC
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html 2017-09-29
http://secunia.com/advisories/35399 2017-09-29
http://security.gentoo.org/glsa/glsa-200906-02.xml 2017-09-29
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.430805 2017-09-29
http://www.mandriva.com/security/advisories?name=MDVSA-2009:160 2017-09-29
http://www.redhat.com/support/errata/RHSA-2009-1140.html 2017-09-29
http://www.ubuntu.com/usn/USN-805-1 2017-09-29
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00731.html 2017-09-29
https://access.redhat.com/security/cve/CVE-2009-1904 2009-07-02
https://bugzilla.redhat.com/show_bug.cgi?id=504958 2009-07-02
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 1.8.6
Search vendor "Ruby-lang" for product "Ruby" and version "1.8.6"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 1.8.7
Search vendor "Ruby-lang" for product "Ruby" and version "1.8.7"
-
Affected