CVE-2012-5370 — Uncontrolled Resource Consumption in Jruby

CWE-400 — Uncontrolled Resource Consumption8 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.6%

top 30.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jruby Debian Jruby

Timeline

PublishedNov 28

Latest updateMay 17

Description

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶debiandebian/jruby< jruby 1.5.6-5 (bookworm)

▶Debianjruby/jruby< 1.5.6-5+2

🔴Vulnerability Details

GHSA

JRuby denial of service via Hash Collision↗2022-05-17

▶

OSV

JRuby denial of service via Hash Collision↗2022-05-17

▶

OSV

CVE-2012-5370: JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers t↗2012-11-28

▶

📋Vendor Advisories

Red Hat

jruby: Murmur hash function collisions (oCERT-2012-001)↗2012-11-23

▶

Debian

CVE-2012-5370: jruby - JRuby computes hash values without properly restricting the ability to trigger h...↗2012

▶

💬Community

Bugzilla

CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001) [fedora-all]↗2012-11-27

▶

Bugzilla

CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001)↗2012-11-27

▶