Ruby '#to_s' Security Bypass Vulnerability Network Vulnerability

Summary

This host is installed with Ruby and is prone to security bypass vulnerability.

Impact

Successful exploitation allows attackers to bypass certain security restrictions and perform unauthorized actions. Impact Level: Application.

Solution

Upgrade to Ruby version 1.8.7-334 or later For updates refer to http://rubyforge.org/frs/?group_id=167

Insight

The flaw is due to the error in 'Exception#to_s' method, which trick safe level mechanism and destructively modifies an untaitned string to be tainted.

Affected

Ruby version 1.8.6 through 1.8.6 patchlevel 420 Ruby version 1.8.7 through 1.8.7 patchlevel 330 Ruby version 1.8.8dev

References

http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
https://bugzilla.redhat.com/show_bug.cgi?id=678920

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-1005

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Adobe Reader Plugin Signature Bypass Vulnerability (Windows)
Adobe Reader Cross-Site Scripting & Denial of Service Vulnerabilities (Mac OS X)
Adobe Flash Player Multiple Security Bypass Vulnerabilities - 01 Feb14 (Windows)
Apple Safari 'Webkit' Multiple Vulnerabilities-01 Mar14 (Mac OS X)
Apple Safari Web Script Execution Vulnerabilites - June09

Take action and discover your vulnerabilities