cbcvebase.
CVE-2009-5147
published 2017-03-29

CVE-2009-5147: DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

PriorityP340high7.3CVSS 3.0
AVNACLPRNUINSUCLILAL
EPSS
7.77%
93.9th percentile
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

Affected

19 ranges
VendorProductVersion rangeFixed in
applemac_os_x<= 10.11.3
ruby-langruby<= 2.0.0-p647
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby
ruby-langruby

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable code path is in Ruby's DL::dlopen — monitor for dynamic library loading calls that bypass taint checking when $SAFE > 0
  • The vulnerability was re-introduced in the Fiddle module (ext/fiddle/handle.c) after DL was reimplemented using Fiddle and libffi; detection should also cover Fiddle::Handle usage with tainted strings
  • Upstream fix commit for the regression (CVE-2015-7551 / CVE-2009-5147) is available for patch-level verification
  • ·DL module was removed in Ruby 2.2, so the DL::dlopen vector does not apply to Ruby 2.2+; only the Fiddle::Handle vector (CVE-2015-7551 regression) applies there
  • ·CVE-2009-5147 was fixed in Ruby 1.9.1-p129 for the DL branch, but was never backported to other branches (1.8, 2.0, 2.1), leaving those versions still vulnerable
  • ·Red Hat rated this issue as Low severity and marked all affected RHEL packages as 'Will not fix'; do not rely on OS vendor patches for RHEL 4–7

CVSS provenance

nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.3HIGH
vendor_redhat7.3HIGH
vendor_ubuntu7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.