CVE-2017-11465
published 2017-07-19CVE-2017-11465: The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have…
PriorityP433critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.68%
74.0th percentile
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6f39-fvhf-c6qr: The parser_yyerror function in the UTF-8 parser in Ruby 2
ghsa_unreviewed·2022-05-17
CVE-2017-11465 [CRITICAL] CWE-125 GHSA-6f39-fvhf-c6qr: The parser_yyerror function in the UTF-8 parser in Ruby 2
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.
Red Hat
ruby: Invalid read/write in parser_yyerror function in UTF-8 parser
vendor_redhat·2017-07-13·CVSS 9.8
CVE-2017-11465 [CRITICAL] CWE-119 ruby: Invalid read/write in parser_yyerror function in UTF-8 parser
ruby: Invalid read/write in parser_yyerror function in UTF-8 parser
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Additionally, the security impact of this flaw is disputed by the upstream Ruby project.
Package
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-11465 ruby: Invalid read/write in parser_yyerror function in UTF-8 parser
bugzilla·2017-07-21·CVSS 9.8
CVE-2017-11465 [CRITICAL] CVE-2017-11465 ruby: Invalid read/write in parser_yyerror function in UTF-8 parser
CVE-2017-11465 ruby: Invalid read/write in parser_yyerror function in UTF-8 parser
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.
Upstream bug:
https://bugs.ruby-lang.org/issues/13742
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1473721]
---
This is not vulnerability according to upstream [1]:
~~~
Note that this is not a vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11465 is invalid.
~~~
[1] https://bugs.ruby-lang.org/issues/13742#n
Bugzilla
CVE-2017-11465 ruby: Invalid read/write in parser_yyerror function in UTF-8 parser [fedora-all]
bugzilla·2017-07-21·CVSS 9.8
CVE-2017-11465 [CRITICAL] CVE-2017-11465 ruby: Invalid read/write in parser_yyerror function in UTF-8 parser [fedora-all]
CVE-2017-11465 ruby: Invalid read/write in parser_yyerror function in UTF-8 parser [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
2017-07-19
Published