CVE-2014-6438 - Unspecified vulnerability in Ruby-Lang Ruby

ID

ID

CVE-2014-6438
Last update

Last update

2017-09-11
Published

Published

2017-09-06
Summary

Summary

The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.
Vulnerable Configurations

Vulnerable Configurations

CVSS

CVSS

Base: 5.0 (as of 11-09-2017 - 18:25)
Impact: n/a
Exploitability: n/a
CWE

CWE

CAPEC

CAPEC

Access

Access

Vector Complexity Authentication
NETWORK LOW NONE
Impact

Impact

Confidentiality Integrity Availability
NONE NONE PARTIAL
Nessus

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DLA-275.NASL
descriptionIt was discovered that the uri package in the Ruby standard library uses regular expressions that may result in excessive backtracking. Ruby applications that parse untrusted URIs using this library were susceptible to denial of service attacks by passing crafted URIs. For the oldoldstable distribution (squeeze), this problem has been fixed in version 1.9.2.0-2+deb6u6. The oldstable distribution (wheezy) and stable distribution (jessie) were not affected by this problem as it was fixed before release. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen2020-01-01
modified2020-01-02
plugin id84833
published2015-07-20
reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/84833
titleDebian DLA-275-1 : ruby1.9.1 security update
Refmap

Refmap

confirm
mlist[oss-security] 20150713 Re: Retroactive CVE request for Ruby 1.9.2-p330
sectrack1032874
References

References