Description Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.
CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H Exploitability: 3.9 | Impact: 5.2 Attack Vector: Network
Complexity: Low
Privileges: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: High
Affected Packages3 packages
🔴 Vulnerability Details6 GHSA GHSA-wvmx-3rv2-5jgf: Ruby before 2 ↗ 2022-05-14 ▶ OSV ruby2.0 regression ↗ 2021-03-25 ▶ OSV ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities ↗ 2018-06-13 ▶ OSV ruby1.9.1 vulnerabilities ↗ 2017-10-05 ▶ OSV CVE-2017-0898: Ruby before 2 ↗ 2017-09-15 ▶ Show 1 more
📋 Vendor Advisories5 Apple CVE-2017-0898: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra ↗ 2018-10-30 ▶ Apple CVE-2017-0898: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan ↗ 2018-07-09 ▶ Ubuntu Ruby vulnerabilities ↗ 2018-06-13 ▶ Ubuntu Ruby vulnerabilities ↗ 2017-10-05 ▶ Red Hat ruby: Buffer underrun vulnerability in Kernel.sprintf ↗ 2017-09-14 ▶
💬 Community3 Bugzilla CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf ↗ 2017-09-15 ▶ Bugzilla CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 ruby: various flaws [fedora-all] ↗ 2017-09-15 ▶ Bugzilla CVE-2017-2653 CloudForms: UI security issue on Openstack actions ↗ 2017-03-14 ▶