CVE-2016-2336
published 2017-01-06CVE-2016-2336: Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed…
PriorityP350critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.29%
86.9th percentile
Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby | ruby | — | — |
| ruby | ruby | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
ruby: WIN32OLE ole_invoke and ole_query_interface type confusion vulnerabilities
vendor_redhat·2016-06-14·CVSS 9.8
CVE-2016-2336 [CRITICAL] CWE-843 ruby: WIN32OLE ole_invoke and ole_query_interface type confusion vulnerabilities
ruby: WIN32OLE ole_invoke and ole_query_interface type confusion vulnerabilities
Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution.
Statement: This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux or Red Hat Software Collections as they did not include support for OLE.
Package: rh-ruby22-ruby (CloudForms Management Engine 5) - Not affected
Package: ruby-200-ruby (CloudForms Management Engine 5) - Not affected
Package: ruby (Red Hat Enterprise Linux 5) - Not affected
Package: ruby (Red Hat Enterprise Linux 6) - Not affected
Package: ruby (Red Hat Enterprise Linux 7) - Not affected
Package: rh-r
GHSA
GHSA-f46g-7w88-2qv4: Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface
ghsa_unreviewed·2022-05-17
CVE-2016-2336 [CRITICAL] GHSA-f46g-7w88-2qv4: Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface
Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution.
No detection rules found.
No public exploits indexed.
2017-01-06
Published