Description

Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.

Remediation

References

CVE-2012-4466

Related Vulnerabilities

Resin Application Server Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-2966)

Django Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0473)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2016-4542)

WordPress Plugin BCS BatchLine Book Importer Security Bypass (1.5.7)

WordPress Plugin WP Photo Album Plus 'wppa-album' Parameter SQL Injection (4.1.1)

Severity

Medium

Classification

CVE-2012-4466 CWE-264

Tags

Missing Update Known Vulnerabilities