Vulnerabilities > CVE-2018-10199 - Use After Free vulnerability in Mruby

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

mruby

CWE-416

critical

NVD

Published: 2018-04-18

Updated: 2018-05-22

Summary

In versions of mruby up to and including 1.4.0, a use-after-free vulnerability exists in src/io.c::File#initilialize_copy(). An attacker that can cause Ruby code to be run can possibly use this to execute arbitrary code.

Vulnerable Configurations

Part	Description	Count
Application	Mruby Mruby Mruby - Mruby Mruby 1.0.0 Mruby Mruby 1.1.0 Mruby Mruby 1.2.0 Mruby Mruby 1.3.0 Mruby Mruby 1.4.0	12

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

References

https://github.com/mruby/mruby/issues/4001
https://github.com/mruby/mruby/commit/b51b21fc63c9805862322551387d9036f2b63433