CVE-2013-4164Improper Restriction of Operations within the Bounds of a Memory Buffer in Ruby

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-228Improper Handling of Syntactically Invalid StructureCWE-122Heap-based Buffer Overflow9 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
12.0%
top 6.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ruby-lang Ruby
Timeline
PublishedNov 23
Latest updateMay 14

Description

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDruby-lang/ruby7 versions+6

Patches

Patch: www.ruby-lang.orgPatch: www.ruby-lang.org

🔴Vulnerability Details

3
GHSA
GHSA-j98q-m2w8-57rc: Heap-based buffer overflow in Ruby 12022-05-14
CVEList
CVE-2013-4164: Heap-based buffer overflow in Ruby 12013-11-23
OSV
CVE-2013-4164: Heap-based buffer overflow in Ruby 12013-11-22

📋Vendor Advisories

2
Ubuntu
Ruby vulnerabilities2013-11-27
Red Hat
ruby: heap overflow in floating point parsing2013-11-22

💬Community

3
Bugzilla
php: heap overflow in floating point parsing2014-01-24
Bugzilla
CVE-2013-4164 ruby: heap overflow in floating point parsing [fedora-all]2013-11-22
Bugzilla
CVE-2013-4164 ruby: heap overflow in floating point parsing2013-11-22
CVE-2013-4164 — Ruby-lang Ruby vulnerability | cvebase