// For flags

CVE-2009-5147

ruby: DL:: dlopen could open a library with tainted library name

Severity Score

7.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

DL::dlopen en Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 en versiones anteriores a patchlevel 648, y 2.1 en versiones anteriores a 2.1.8 abre librerías con nombres contaminados.

It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. Various other issues were also addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-07-28 CVE Reserved
  • 2017-03-14 First Exploit
  • 2017-03-29 CVE Published
  • 2024-08-07 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
  • CWE-267: Privilege Defined With Unsafe Actions
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
1.8.0
Search vendor "Ruby-lang" for product "Ruby" and version "1.8.0"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
1.9.0
Search vendor "Ruby-lang" for product "Ruby" and version "1.9.0"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
1.9.2
Search vendor "Ruby-lang" for product "Ruby" and version "1.9.2"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
1.9.3
Search vendor "Ruby-lang" for product "Ruby" and version "1.9.3"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p195
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p247
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p353
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p481
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p576
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p594
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p598
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p643
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p645
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.0.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"
p647
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.1.0
Search vendor "Ruby-lang" for product "Ruby" and version "2.1.0"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.1.1
Search vendor "Ruby-lang" for product "Ruby" and version "2.1.1"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.1.2
Search vendor "Ruby-lang" for product "Ruby" and version "2.1.2"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.1.3
Search vendor "Ruby-lang" for product "Ruby" and version "2.1.3"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.1.4
Search vendor "Ruby-lang" for product "Ruby" and version "2.1.4"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.1.5
Search vendor "Ruby-lang" for product "Ruby" and version "2.1.5"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.1.6
Search vendor "Ruby-lang" for product "Ruby" and version "2.1.6"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
Ruby
Search vendor "Ruby-lang" for product "Ruby"
2.1.7
Search vendor "Ruby-lang" for product "Ruby" and version "2.1.7"
-
Affected