CVE-2009-4124
published 2009-12-11CVE-2009-4124: Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary…
PriorityP339critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
3.88%
88.9th percentile
Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2010-02-16·CVSS 5.0
CVE-2009-1904 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby vulnerabilities
Emmanouel Kellinis discovered that Ruby did not properly handle certain
string operations. An attacker could exploit this issue and possibly
execute arbitrary code with application privileges. (CVE-2009-4124)
Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that
Ruby did not properly sanitize data written to log files. An attacker could
insert specially-crafted data into log files which could affect certain
terminal emulators and cause arbitrary files to be overwritten, or even
possibly execute arbitrary commands. (CVE-2009-4492)
It was discovered that Ruby did not properly handle string arguments that
represent large numbers. An attacker could exploit this and cause a denial
of service. This issue only aff
Red Hat
ruby: Heap-based buffer overflow in the rb_str_justify() function
vendor_redhat·2009-12-07·CVSS 10.0
CVE-2009-4124 [CRITICAL] CWE-122 ruby: Heap-based buffer overflow in the rb_str_justify() function
ruby: Heap-based buffer overflow in the rb_str_justify() function
Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information.
Statement: Not vulnerable. This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as it did not affect the Ruby 1.8 series.
Package: ruby (Red Hat Enterprise Linux 5) - Not affected
Package: ruby (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-9mvm-2xp2-9wmw: Heap-based buffer overflow in the rb_str_justify function in string
ghsa_unreviewed·2022-05-02
CVE-2009-4124 [HIGH] CWE-119 GHSA-9mvm-2xp2-9wmw: Heap-based buffer overflow in the rb_str_justify function in string
Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information.
No detection rules found.
No public exploits indexed.
http://secunia.com/advisories/37660http://www.osvdb.org/60880http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/http://www.securityfocus.com/bid/37278http://www.vupen.com/english/advisories/2009/3471https://exchange.xforce.ibmcloud.com/vulnerabilities/54674http://secunia.com/advisories/37660http://www.osvdb.org/60880http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/http://www.securityfocus.com/bid/37278http://www.vupen.com/english/advisories/2009/3471https://exchange.xforce.ibmcloud.com/vulnerabilities/54674
2009-12-11
Published