CVE-2009-5147 — Improper Input Validation in Ruby

CWE-20 — Improper Input Validation CWE-267 — Privilege Defined With Unsafe Actions10 documents7 sources

Severity

7.3HIGHNVD

EPSS

56.2%

top 1.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby

Timeline

PublishedMar 29

Latest updateMay 2

Description

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages1 packages

▶NVDruby-lang/ruby13 versions+12

Patches

Patch: seclists.org ↗Patch: bugzilla.redhat.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-mmq8-m72q-qgm4: DL::dlopen in Ruby 1↗2022-05-02

▶

OSV

ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities↗2017-07-25

▶

CVEList

CVE-2009-5147: DL::dlopen in Ruby 1↗2017-03-29

▶

OSV

CVE-2009-5147: DL::dlopen in Ruby 1↗2017-03-29

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2017-07-25

▶

Red Hat

ruby: DL:: dlopen could open a library with tainted library name↗2009-05-11

▶

Red Hat

ruby: DL:: dlopen could open a library with tainted library name↗2009-05-11

▶

💬Community

Bugzilla

CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name↗2015-07-31

▶

Bugzilla

CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name [fedora-all]↗2015-07-31

▶