CVE-2015-7551Improper Input Validation in Apple MAC OS X

CWE-20Improper Input ValidationCWE-267Privilege Defined With Unsafe Actions10 documents8 sources
Severity
8.4HIGHNVD
CNA7.3OSV7.3
EPSS
0.2%
top 62.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apple MAC OS XRuby-lang Ruby
Timeline
PublishedMar 24
Latest updateMay 14

Description

The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages2 packages

NVDapple/mac_os_x10.11.3
NVDruby-lang/ruby2.0.0-p647+12

Patches

Patch: www.ruby-lang.orgPatch: www.ruby-lang.org

🔴Vulnerability Details

4
GHSA
GHSA-m9xr-x5mq-4fp5: The Fiddle::Handle implementation in ext/fiddle/handle2022-05-14
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities2017-07-25
CVEList
CVE-2015-7551: The Fiddle::Handle implementation in ext/fiddle/handle2016-03-24
OSV
CVE-2015-7551: The Fiddle::Handle implementation in ext/fiddle/handle2016-03-23

📋Vendor Advisories

3
Ubuntu
Ruby vulnerabilities2017-07-25
Red Hat
ruby: DL:: dlopen could open a library with tainted library name2009-05-11
Apple
CVE-2015-7551: OS X El Capitan v10.11.4 and Security Update 2016-002

💬Community

2
Bugzilla
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name2015-07-31
Bugzilla
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name [fedora-all]2015-07-31
CVE-2015-7551 — Improper Input Validation in Apple | cvebase