CVE-2008-3656

Severity

78%

Complexity

99%

Confidentiality

115%

Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.

Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.

CVSS 2.0 Base Score 7.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C).

Overview

First reported 16 years ago

2008-08-13 01:41:00

Last updated 6 years ago

2018-10-11 20:48:00

Affected Software

ruby-lang Ruby 1.8.0

1.8.0

Ruby-lang Ruby 1.8.1

1.8.1

Ruby-lang Ruby 1.8.2

1.8.2

Ruby-lang Ruby 1.8.2 Preview 2

1.8.2

Ruby-lang Ruby 1.8.2 Preview 3

1.8.2

Ruby-lang Ruby 1.8.2 Preview 4

1.8.2

Ruby-lang Ruby 1.8.3

1.8.3

Ruby-lang Ruby 1.8.3 Preview 1

1.8.3

Ruby-lang Ruby 1.8.3 Preview 2

1.8.3

Ruby-lang Ruby 1.8.3 Preview 3

1.8.3

Ruby-lang Ruby 1.8.4

1.8.4

Ruby-lang Ruby 1.8.4 Preview 1

1.8.4

Ruby-lang Ruby 1.8.4 Preview 2

1.8.4

Ruby-lang Ruby

Ruby-lang Ruby 1.8.5 Preview 1

1.8.5

Ruby-lang Ruby 1.8.5 Preview 2

1.8.5

Ruby-lang Ruby 1.8.5 Preview 3

1.8.5

Ruby-lang Ruby 1.8.5 Preview 4

1.8.5

Ruby-lang Ruby 1.8.5 Preview 5

1.8.5

Ruby-lang Ruby 1.8.6

1.8.6

Ruby-lang Ruby 1.8.6 Preview 1

1.8.6

Ruby-lang Ruby 1.8.6 Preview 2

1.8.6

Ruby-lang Ruby 1.8.6 Preview 3

1.8.6

ruby-lang Ruby 1.8.7

1.8.7

ruby-lang Ruby 1.8.7-p17

1.8.7

ruby-lang Ruby 1.8.7-p22

1.8.7

ruby-lang Ruby 1.8.7-p71

1.8.7

ruby-lang Ruby 1.8.7-preview1

1.8.7

ruby-lang Ruby 1.8.7-preview2

1.8.7

ruby-lang Ruby 1.8.7-preview3

1.8.7

ruby-lang Ruby 1.8.7-preview4

1.8.7

ruby-lang Ruby 1.9.0

1.9.0

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401

APPLE-SA-2009-05-12

31430

31697

32165

32219

32255

32256

32371

33178

35074

GLSA-200812-17

http://support.apple.com/kb/HT3549

http://support.avaya.com/elmodocs2/security/ASA-2008-424.htm

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0264

DSA-1651

DSA-1652

RHSA-2008:0897

http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/

Exploit

20080831 rPSA-2008-0264-1 ruby

30644

1020654

TA09-133A

US Government Resource

ADV-2008-2334

ADV-2009-1297

ruby-webrick-dos(44371)

oval:org.mitre.oval:def:9682

USN-651-1

FEDORA-2008-8738

FEDORA-2008-8736

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.