Vulnerabilities > CVE-2014-2734 - Resource Management Errors vulnerability in Ruby-Lang Ruby

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher

Vulnerable Configurations

Part Description Count
Application
Ruby-Lang
12

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
descriptionBugtraq ID:66956 CVE ID:CVE-2014-2734 Yukihiro Matsumoto Ruby是一款功能强大的面向对象的脚本语言。 Yukihiro Matsumoto Ruby OpenSSL存在一个安全漏洞,允许攻击者利用漏洞伪造CA私钥。 0 Ruby 目前没有详细解决方案: http://www.ruby-lang.org/
idSSV:62243
last seen2017-11-19
modified2014-04-21
published2014-04-21
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-62243
titleRuby OpenSSL CA私钥伪造漏洞