CVE-2012-4522Null Byte Interaction Error (Poison Null Byte) in Ruby

CWE-264CWE-626Null Byte Interaction Error (Poison Null Byte)7 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
0.3%
top 42.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ruby-lang Ruby
Timeline
PublishedNov 24
Latest updateMay 17

Description

The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDruby-lang/ruby1.9.3, 2.0.0+1

🔴Vulnerability Details

2
GHSA
GHSA-6mch-f8jc-rpmr: The rb_get_path_check function in file2022-05-17
CVEList
CVE-2012-4522: The rb_get_path_check function in file2012-11-24

📋Vendor Advisories

2
Ubuntu
Ruby vulnerabilities2012-10-23
Red Hat
ruby: unintentional file creation caused by inserting an illegal NUL character2012-10-12

💬Community

2
Bugzilla
CVE-2012-4522 ruby: unintentional file creation caused by inserting an illegal NUL character [fedora-all]2012-10-15
Bugzilla
CVE-2012-4522 ruby: unintentional file creation caused by inserting an illegal NUL character2012-10-12
CVE-2012-4522 — Ruby-lang Ruby vulnerability | cvebase