CVE-2012-5371 — Ruby vulnerability

8 documents6 sources

Severity

5.0MEDIUMNVD

CNA7.8

EPSS

1.8%

top 17.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby

Timeline

PublishedNov 28

Latest updateMay 17

Description

Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDruby-lang/ruby1.9.3+5

Patches

Patch: securitytracker.com ↗Patch: www.ruby-lang.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-phrv-cj28-9h57: Ruby (aka CRuby) 1↗2022-05-17

▶

CVEList

CVE-2012-5371: Ruby (aka CRuby) 1↗2012-11-28

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2013-02-21

▶

Red Hat

ruby: Murmur hash-flooding DoS flaw in ruby 1.9 (oCERT-2012-001)↗2012-11-09

▶

💬Community

Bugzilla

CVE-2012-5371 ruby: hash-flooding DoS flaw in ruby 1.9 [fedora-18]↗2012-11-10

▶

Bugzilla

CVE-2012-5371 ruby: hash-flooding DoS flaw in ruby 1.9 [fedora-17]↗2012-11-10

▶

Bugzilla

CVE-2012-5371 ruby: Murmur hash-flooding DoS flaw in ruby 1.9 (oCERT-2012-001)↗2012-11-09

▶