CVE-2008-3655

Severity

75%

Complexity

99%

Confidentiality

106%

Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.

Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

First reported 16 years ago

2008-08-13 01:41:00

Last updated 6 years ago

2018-10-11 20:48:00

Affected Software

ruby-lang Ruby 1.8.0

1.8.0

Ruby-lang Ruby 1.8.1

1.8.1

Ruby-lang Ruby 1.8.2

1.8.2

Ruby-lang Ruby 1.8.2 Preview 2

1.8.2

Ruby-lang Ruby 1.8.2 Preview 3

1.8.2

Ruby-lang Ruby 1.8.2 Preview 4

1.8.2

Ruby-lang Ruby 1.8.3

1.8.3

Ruby-lang Ruby 1.8.3 Preview 1

1.8.3

Ruby-lang Ruby 1.8.3 Preview 2

1.8.3

Ruby-lang Ruby 1.8.3 Preview 3

1.8.3

Ruby-lang Ruby 1.8.4

1.8.4

Ruby-lang Ruby 1.8.4 Preview 1

1.8.4

Ruby-lang Ruby 1.8.4 Preview 2

1.8.4

Ruby-lang Ruby

Ruby-lang Ruby 1.8.5 Preview 1

1.8.5

Ruby-lang Ruby 1.8.5 Preview 2

1.8.5

Ruby-lang Ruby 1.8.5 Preview 3

1.8.5

Ruby-lang Ruby 1.8.5 Preview 4

1.8.5

Ruby-lang Ruby 1.8.5 Preview 5

1.8.5

Ruby-lang Ruby 1.8.6

1.8.6

Ruby-lang Ruby 1.8.6 Preview 1

1.8.6

Ruby-lang Ruby 1.8.6 Preview 2

1.8.6

Ruby-lang Ruby 1.8.6 Preview 3

1.8.6

ruby-lang Ruby 1.8.7

1.8.7

ruby-lang Ruby 1.8.7-p17

1.8.7

ruby-lang Ruby 1.8.7-p22

1.8.7

ruby-lang Ruby 1.8.7-p71

1.8.7

ruby-lang Ruby 1.8.7-preview1

1.8.7

ruby-lang Ruby 1.8.7-preview2

1.8.7

ruby-lang Ruby 1.8.7-preview3

1.8.7

ruby-lang Ruby 1.8.7-preview4

1.8.7

ruby-lang Ruby 1.9.0

1.9.0

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401

APPLE-SA-2009-05-12

31430

Vendor Advisory

31697

Vendor Advisory

32165

Vendor Advisory

32219

Vendor Advisory

32255

Vendor Advisory

32256

Vendor Advisory

32371

Vendor Advisory

32372

Vendor Advisory

33178

Vendor Advisory

35074

Vendor Advisory

GLSA-200812-17

http://support.apple.com/kb/HT3549

http://support.avaya.com/elmodocs2/security/ASA-2008-424.htm

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0264

DSA-1651

Patch

DSA-1652

RHSA-2008:0895

RHSA-2008:0897

http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/

Exploit

20080831 rPSA-2008-0264-1 ruby

30644

Exploit, Patch

1020656

TA09-133A

US Government Resource

ADV-2008-2334

Vendor Advisory

ADV-2009-1297

Patch, Vendor Advisory

ruby-safelevel-security-bypass(44369)

oval:org.mitre.oval:def:11602

USN-651-1

FEDORA-2008-8738

FEDORA-2008-8736

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.