CVE-2011-4815 — Improper Input Validation in Ruby

CWE-20 — Improper Input Validation9 documents6 sources

Severity

7.8HIGHNVD

EPSS

2.0%

top 16.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby

Timeline

PublishedDec 30

Latest updateMay 17

Description

Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages1 packages

▶NVDruby-lang/ruby1.8.7-p352+4

🔴Vulnerability Details

GHSA

GHSA-xpr8-vpc7-7vfc: Ruby (aka CRuby) before 1↗2022-05-17

▶

CVEList

CVE-2011-4815: Ruby (aka CRuby) before 1↗2011-12-30

▶

📋Vendor Advisories

Red Hat

ruby: Murmur hash-flooding DoS flaw in ruby 1.9 (oCERT-2012-001)↗2012-11-09

▶

Ubuntu

Ruby vulnerabilities↗2012-02-28

▶

Red Hat

ruby: hash table collisions CPU usage DoS (oCERT-2011-003)↗2011-12-28

▶

💬Community

Bugzilla

CVE-2012-5371 ruby: Murmur hash-flooding DoS flaw in ruby 1.9 (oCERT-2012-001)↗2012-11-09

▶

Bugzilla

CVE-2011-4815 ruby: hash table collisions CPU usage DoS (oCERT-2011-003) [fedora-all]↗2011-12-29

▶

Bugzilla

CVE-2011-4815 ruby: hash table collisions CPU usage DoS (oCERT-2011-003)↗2011-11-01

▶