CVE-2010-1330 — Cross-site Scripting in Jruby

CWE-79 — Cross-site Scripting10 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 37.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jruby Debian Jruby

Timeline

PublishedNov 23

Latest updateMay 2

Description

The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/jruby< jruby 1.5.0~rc1-1 (bookworm)

▶Debianjruby/jruby< 1.5.0~rc1-1+2

▶NVDjruby/jruby1.4.0+20

Patches

Patch: www.jruby.org ↗Patch: www.jruby.org ↗

🔴Vulnerability Details

OSV

Cross-site Scripting in in JRuby↗2022-05-02

▶

GHSA

Cross-site Scripting in in JRuby↗2022-05-02

▶

OSV

CVE-2010-1330: The regular expression engine in JRuby before 1↗2012-11-23

▶

💥Exploits & PoCs

Exploit-DB

Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow↗2010-08-04

▶

📋Vendor Advisories

Red Hat

jruby: XSS in the regular expression engine when processing invalid UTF-8 byte sequences↗2010-04-26

▶

Debian

CVE-2010-1330: jruby - The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', ...↗2010

▶

💬Community

Bugzilla

CVE-2010-1330 jruby: XSS in the regular expression engine when processing invalid UTF-8 byte sequences [fedora-15]↗2011-10-31

▶

Bugzilla

CVE-2010-1330 jruby: XSS in the regular expression engine when processing invalid UTF-8 byte sequences [fedora-14]↗2011-10-31

▶

Bugzilla

CVE-2010-1330 jruby: XSS in the regular expression engine when processing invalid UTF-8 byte sequences↗2011-10-31

▶