CVE-2004-0983
published 2005-03-01CVE-2004-0983: The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a…
PriorityP418medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
1.90%
77.1th percentile
The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mandrakesoft | mandrake_linux | — | — |
| mandrakesoft | mandrake_linux | — | — |
| mandrakesoft | mandrake_linux | — | — |
| mandrakesoft | mandrake_linux_corporate_server | — | — |
| ubuntu | ubuntu_linux | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby CGI module vulnerability
vendor_ubuntu·2004-11-09
CVE-2004-0983 Ruby CGI module vulnerability
Title: Ruby CGI module vulnerability
Summary: Ruby CGI module vulnerability
The Ruby developers discovered a potential Denial of Service
vulnerability in the CGI module (cgi.rb). Specially crafted CGI
requests could cause an infinite loop in the server process.
Repetitive attacks could use most of the available processor
resources, exhaust the number of allowed parallel connections in web
servers, or cause similar effects which render the service
unavailable.
There is no possibility of privilege escalation or data loss.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
security flaw
vendor_redhat·2004-11-08·CVSS 5.0
CVE-2004-0983 [MEDIUM] security flaw
security flaw
The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request.
GHSA
GHSA-f94p-wf3v-wp5p: The CGI module in Ruby 1
ghsa_unreviewed·2022-04-29
CVE-2004-0983 [MEDIUM] GHSA-f94p-wf3v-wp5p: The CGI module in Ruby 1
The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2004-0983 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2004-0983 [MEDIUM] CVE-2004-0983 security flaw
CVE-2004-0983 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request.
Bugzilla
CVE-2006-5467 Ruby CGI multipart parsing DoS
bugzilla·2006-10-26·CVSS 5.0
CVE-2006-5467 [MEDIUM] CVE-2006-5467 Ruby CGI multipart parsing DoS
CVE-2006-5467 Ruby CGI multipart parsing DoS
+++ This bug was initially created as a clone of Bug #212237 +++
Jeremy Kemper mailed this information to vendor-sec:
Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5
when the input stream returns "" (empty string) instead of nil on EOF.
Certain malformed multipart requests leave the parser in a non-terminating
state, leaving the program vulnerable to denial of service attack. The fix
more carefully checks for input stream EOF.
affected: standalone CGI, Mongrel
unaffected: FastCGI, mod_ruby, WEBrick
This fully closes a previously-reported but partially-fixed vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983
http://www.securityfocus.com/bid/11618/info
-- Additional comment from bressers@red
Bugzilla
CVE-2006-5467 Ruby CGI multipart parsing DoS
bugzilla·2006-10-25·CVSS 5.0
CVE-2006-5467 [MEDIUM] CVE-2006-5467 Ruby CGI multipart parsing DoS
CVE-2006-5467 Ruby CGI multipart parsing DoS
Jeremy Kemper mailed this information to vendor-sec:
Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5
when the input stream returns "" (empty string) instead of nil on EOF.
Certain malformed multipart requests leave the parser in a non-terminating
state, leaving the program vulnerable to denial of service attack. The fix
more carefully checks for input stream EOF.
affected: standalone CGI, Mongrel
unaffected: FastCGI, mod_ruby, WEBrick
This fully closes a previously-reported but partially-fixed vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983
http://www.securityfocus.com/bid/11618/info
Discussion:
This issue should also affect RHEL2.1 and RHEL3
---
Created attachment 139389
Proposed pat
http://www.debian.org/security/2004/dsa-586http://www.mandriva.com/security/advisories?name=MDKSA-2004:128http://www.redhat.com/support/errata/RHSA-2004-635.htmlhttp://www.securityfocus.com/bid/11618https://exchange.xforce.ibmcloud.com/vulnerabilities/17985https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10268https://usn.ubuntu.com/20-1/http://www.debian.org/security/2004/dsa-586http://www.mandriva.com/security/advisories?name=MDKSA-2004:128http://www.redhat.com/support/errata/RHSA-2004-635.htmlhttp://www.securityfocus.com/bid/11618https://exchange.xforce.ibmcloud.com/vulnerabilities/17985https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10268https://usn.ubuntu.com/20-1/
2005-03-01
Published