CVE-2011-1005
published 2011-03-02CVE-2011-1005: The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the…
PriorityP422medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
2.77%
84.5th percentile
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gm9g-777x-3fp6: Ruby 1
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2012-4466 [MEDIUM] GHSA-gm9g-777x-3fp6: Ruby 1
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.
GHSA
GHSA-gjcp-rx5c-g849: Ruby 1
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2012-4464 [MEDIUM] GHSA-gjcp-rx5c-g849: Ruby 1
Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression.
GHSA
GHSA-gh65-6rxj-m8cc: The safe-level feature in Ruby 1
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2012-4481 [MEDIUM] GHSA-gh65-6rxj-m8cc: The safe-level feature in Ruby 1
The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
GHSA
GHSA-h2rc-3ppq-6pjg: The safe-level feature in Ruby 1
ghsa_unreviewed·2022-05-17
CVE-2011-1005 [MEDIUM] GHSA-h2rc-3ppq-6pjg: The safe-level feature in Ruby 1
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Red Hat
ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
vendor_redhat·2012-10-05·CVSS 5.0
CVE-2012-4481 [MEDIUM] ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
Red Hat
ruby: safe level bypass via name_err_mesg_to_str()
vendor_redhat·2012-10-02·CVSS 5.0
CVE-2012-4466 [MEDIUM] CWE-266 ruby: safe level bypass via name_err_mesg_to_str()
ruby: safe level bypass via name_err_mesg_to_str()
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.
Package: ruby (Red Hat Enterprise Linux 5) - Not affected
Package: ruby (Red Hat Enterprise Linux 6) - Not affected
Red Hat
1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
vendor_redhat·2012-09-28·CVSS 5.0
CVE-2012-4464 [MEDIUM] CWE-266 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression.
Statement: Not vulnerable. This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as they did not provide version 1.9.x, which is the vulnerable version of ruby.
Package: ruby (Red Hat Enterprise Linux 5) - Not affected
Package: ruby (Red Hat Enterprise Linux 6) - Not affected
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2012-09-26·CVSS 5.0
CVE-2011-1005 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in ruby1.9.1
It was discovered that Ruby incorrectly allowed untainted strings to be
modified in protective safe levels. An attacker could use this flaw to bypass
intended access restrictions. (CVE-2011-1005)
John Firebaugh discovered that the RubyGems remote gem fetcher did not properly
verify SSL certificates. A remote attacker could exploit this to perform a man
in the middle attack to alter gem files being downloaded for installation.
(CVE-2012-2126)
John Firebaugh discovered that the RubyGems remote gem fetcher allowed
redirection from HTTPS to HTTP. A remote attacker could exploit this to perform
a machine-in-the-middle attack to alter gem files being downloaded for
installation. (CVE-2012-2125)
Instructions
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2012-02-28·CVSS 4.3
CVE-2010-0541 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in ruby1.8.
Drew Yao discovered that the WEBrick HTTP server was vulnerable to cross-site
scripting attacks when displaying error pages. A remote attacker could use this
flaw to run arbitrary web script. (CVE-2010-0541)
Drew Yao discovered that Ruby's BigDecimal module did not properly allocate
memory on 64-bit platforms. An attacker could use this flaw to cause a denial
of service or possibly execute arbitrary code with user privileges.
(CVE-2011-0188)
Nicholas Jefferson discovered that the FileUtils.remove_entry_secure method in
Ruby did not properly remove non-empty directories. An attacker could use this
flaw to possibly delete arbitrary files. (CVE-2011-1004)
It was discovered that Ruby incorrectly allowed un
Red Hat
Ruby: Untrusted codes able to modify arbitrary strings
vendor_redhat·2011-02-18·CVSS 5.0
CVE-2011-1005 [MEDIUM] Ruby: Untrusted codes able to modify arbitrary strings
Ruby: Untrusted codes able to modify arbitrary strings
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Red Hat
sysstat insecure temporary file usage
vendor_redhat·2007-08-10·CVSS 4.4
CVE-2007-3852 [MEDIUM] CWE-377 sysstat insecure temporary file usage
sysstat insecure temporary file usage
The init script (sysstat.in) in sysstat 5.1.2 up to 7.1.6 creates /tmp/sysstat.run insecurely, which allows local users to execute arbitrary code.
Statement: This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 4. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1005 advisory.
No detection rules found.
Bugzilla
CVE-2012-4481 ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
bugzilla·2012-10-05·CVSS 5.0
CVE-2012-4481 [MEDIUM] CVE-2012-4481 ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
CVE-2012-4481 ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
Originally, Common Vulnerabilities and Exposures assigned an identifier of CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
with the following upstream patch:
[1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=30903&view=revision
Based on later upstream patch for different (CVE-2012-4464 and CVE-2012-4466) issues:
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
it was found that original upstream 1.8.x ruby patch for CVE-2011-1005
Bugzilla
CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str()
bugzilla·2012-10-03·CVSS 5.0
CVE-2012-4466 [MEDIUM] CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str()
CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str()
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Later it was reported:
[1] http://www.openwall.com/lists/oss-security/2012/10/02/4
that the Ruby name_err_mesg_to_str() method is vulnerable to the similar flaw.
Relevant upstream patch:
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
Discussion:
*** Bug 862906 has been marked as a duplicate of this bug. ***
---
Created ruby tracking bugs for this i
Bugzilla
ruby: safe level bypass via name_err_mesg_to_str()
bugzilla·2012-10-03·CVSS 5.0
CVE-2011-1005 [MEDIUM] ruby: safe level bypass via name_err_mesg_to_str()
ruby: safe level bypass via name_err_mesg_to_str()
As noted in bug #862598:
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Later it was reported:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
[2] http://www.openwall.com/lists/oss-security/2012/10/02/4
that upstream ruby 1.9.1 and ruby 1.9.3 versions are also vulnerable to this flaw.
Relevant upstream patch:
[3] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
There are two issues here:
1) CVE-2011-100
Bugzilla
CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
bugzilla·2012-10-03·CVSS 5.0
CVE-2012-4464 [MEDIUM] CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
CVE-2012-4464 ruby 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1005 to the following vulnerability:
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
Later it was reported:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689075
[2] http://www.openwall.com/lists/oss-security/2012/10/02/4
that upstream ruby 1.9.1 and ruby 1.9.3 versions are also vulnerable to this flaw.
Relevant upstream patch:
[3] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068
Discussion:
Upstream public reproducer
Bugzilla
CVE-2011-1005 Ruby: Untrusted codes able to modify arbitrary strings
bugzilla·2011-02-20·CVSS 5.0
CVE-2011-1005 [MEDIUM] CVE-2011-1005 Ruby: Untrusted codes able to modify arbitrary strings
CVE-2011-1005 Ruby: Untrusted codes able to modify arbitrary strings
A security flaw was found in the Ruby method,
translating message of the exception into string
representation. An attacker could use this flaw
to modify arbitrary untainted strings into their
tainted equivalents by tricking the safe level
mechanism of this method.
References:
[1] http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
Upstream patch (against ruby_1_8 branch):
[2] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903
Discussion:
This issue affects the versions of the ruby package, as shipped with
Red Hat Enterprise Linux 5 and 6.
--
This issue affects the versions of the ruby package, as shipped with
Fedora release of 13.
Particular ruby package update for Fedor
http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/054422.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/054436.htmlhttp://osvdb.org/70957http://secunia.com/advisories/43420http://secunia.com/advisories/43573http://support.apple.com/kb/HT5281http://www.mandriva.com/security/advisories?name=MDVSA-2011:097http://www.mandriva.com/security/advisories?name=MDVSA-2011:098http://www.openwall.com/lists/oss-security/2011/02/21/2http://www.openwall.com/lists/oss-security/2011/02/21/5http://www.redhat.com/support/errata/RHSA-2011-0908.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0909.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0910.htmlhttp://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/http://www.securityfocus.com/bid/46458http://www.vupen.com/english/advisories/2011/0539https://bugzilla.redhat.com/show_bug.cgi?id=678920http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/054422.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/054436.htmlhttp://osvdb.org/70957http://secunia.com/advisories/43420http://secunia.com/advisories/43573http://support.apple.com/kb/HT5281http://www.mandriva.com/security/advisories?name=MDVSA-2011:097http://www.mandriva.com/security/advisories?name=MDVSA-2011:098http://www.openwall.com/lists/oss-security/2011/02/21/2http://www.openwall.com/lists/oss-security/2011/02/21/5http://www.redhat.com/support/errata/RHSA-2011-0908.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0909.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0910.htmlhttp://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/http://www.securityfocus.com/bid/46458http://www.vupen.com/english/advisories/2011/0539https://bugzilla.redhat.com/show_bug.cgi?id=678920
2011-03-02
Published