CVE-2012-4481
published 2013-05-02CVE-2012-4481: The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
1.94%
77.6th percentile
The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2012-10-23·CVSS 5.0
CVE-2012-4466 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby could allow excessive access in untrusted programs.
USN-1603-1 fixed vulnerabilities in Ruby. This update provides the
corresponding updates for Ubuntu 12.10.
Original advisory details:
Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted
strings to be modified in protective safe levels. An attacker could use this
flaw to bypass intended access restrictions. (CVE-2012-4466, CVE-2012-4481)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2012-10-10·CVSS 5.0
CVE-2012-4466 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby could allow excessive access in untrusted programs.
Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted
strings to be modified in protective safe levels. An attacker could use this
flaw to bypass intended access restrictions. (CVE-2012-4466, CVE-2012-4481)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
vendor_redhat·2012-10-05·CVSS 5.0
CVE-2012-4481 [MEDIUM] ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects
The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
GHSA
GHSA-gh65-6rxj-m8cc: The safe-level feature in Ruby 1
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2012-4481 [MEDIUM] GHSA-gh65-6rxj-m8cc: The safe-level feature in Ruby 1
The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
No detection rules found.
No public exploits indexed.
http://rhn.redhat.com/errata/RHSA-2013-0129.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0612.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:124http://www.openwall.com/lists/oss-security/2012/10/05/4https://bugzilla.redhat.com/show_bug.cgi?id=863484https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0294http://rhn.redhat.com/errata/RHSA-2013-0129.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0612.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:124http://www.openwall.com/lists/oss-security/2012/10/05/4https://bugzilla.redhat.com/show_bug.cgi?id=863484https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0294
2013-05-02
Published