CVE-2012-4466Incorrect Privilege Assignment in Ruby

CWE-266Incorrect Privilege Assignment12 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
1.2%
top 21.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ruby-lang Ruby
Timeline
PublishedApr 25
Latest updateMay 17

Description

Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDruby-lang/ruby4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-gm9g-777x-3fp6: Ruby 12022-05-17
CVEList
CVE-2012-4466: Ruby 12013-04-25

📋Vendor Advisories

6
Ubuntu
Ruby vulnerabilities2012-10-23
Ubuntu
Ruby vulnerabilities2012-10-23
Ubuntu
Ruby vulnerabilities2012-10-10
Ubuntu
Ruby vulnerabilities2012-10-10
Red Hat
ruby: safe level bypass via name_err_mesg_to_str()2012-10-02

💬Community

3
Bugzilla
CVE-2012-4481 ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects2012-10-05
Bugzilla
CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str()2012-10-03
Bugzilla
CVE-2012-4464 CVE-2012-4466 ruby: various flaws [fedora-all]2012-10-03
CVE-2012-4466 — Incorrect Privilege Assignment in Ruby | cvebase