Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-4492 — Improper Input Validation in Webrick

CWE-20 — Improper Input Validation8 documents8 sources

Severity

7.5HIGHNVD

EPSS

17.7%

top 4.88%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Ruby-lang Webrick

Timeline

PublishedJan 13

Latest updateOct 24

Description

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶RubyGemsruby-lang/webrick< 1.4.0

▶NVDruby-lang/webrick1.3.1

Patches

Patch: www.ruby-lang.org ↗Patch: www.ruby-lang.org ↗

🔴Vulnerability Details

GHSA

WEBrick Improper Input Validation vulnerability↗2017-10-24

▶

OSV

WEBrick Improper Input Validation vulnerability↗2017-10-24

▶

CVEList

CVE-2009-4492: WEBrick 1↗2010-01-13

▶

💥Exploits & PoCs

Exploit-DB

Ruby 1.9.1 - WEBrick 'Terminal Escape Sequence in Logs' Command Injection↗2010-01-11

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2010-02-16

▶

Red Hat

ruby WEBrick log escape sequence↗2010-01-11

▶

💬Community

Bugzilla

CVE-2009-4492 ruby WEBrick log escape sequence↗2010-01-11

▶