CVE-2013-2065 — Ruby vulnerability

CWE-2647 documents6 sources

Severity

6.4MEDIUMNVD

EPSS

0.5%

top 34.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Ruby-lang Ruby

Timeline

PublishedNov 2

Latest updateMay 14

Description

(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages2 packages

▶NVDruby-lang/ruby6 versions+5

▶NVDopensuse/opensuse12.2, 12.3+1

Patches

Patch: www.ruby-lang.org ↗Patch: www.ruby-lang.org ↗

🔴Vulnerability Details

GHSA

GHSA-wh77-3w5g-7q6x: (1) DL and (2) Fiddle in Ruby 1↗2022-05-14

▶

CVEList

CVE-2013-2065: (1) DL and (2) Fiddle in Ruby 1↗2013-11-02

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2013-11-27

▶

Red Hat

Ruby: Object taint bypassing in DL and Fiddle↗2013-05-14

▶

💬Community

Bugzilla

CVE-2013-2065 Ruby: Object taint bypassing in DL and Fiddle [fedora-all]↗2013-05-14

▶

Bugzilla

CVE-2013-2065 Ruby: Object taint bypassing in DL and Fiddle↗2013-05-11

▶