CVE-2018-16396Improper Input Validation in Ruby

CWE-20Improper Input Validation9 documents7 sources
Severity
8.1HIGHNVD
OSV9.8
EPSS
3.3%
top 12.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Ruby-lang RubyCanonical Ubuntu LinuxDebian Linux+1 more
Timeline
PublishedNov 16
Latest updateMay 13

Description

An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

Alpineruby-lang/ruby< 2.5.2-r0+18
NVDruby-lang/ruby2.3.02.3.7+3

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10, Enterprise Linux 6.0, 7.0, 7.4, 7.5, 7.6

🔴Vulnerability Details

4
GHSA
GHSA-xh4x-ph6p-vmxh: An issue was discovered in Ruby before 22022-05-13
CVEList
CVE-2018-16396: An issue was discovered in Ruby before 22018-11-16
OSV
CVE-2018-16396: An issue was discovered in Ruby before 22018-11-16
OSV
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities2018-11-05

📋Vendor Advisories

2
Ubuntu
Ruby vulnerabilities2018-11-05
Red Hat
ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives2018-10-17

💬Community

2
Bugzilla
CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives2018-10-25
Bugzilla
CVE-2018-16395 CVE-2018-16396 ruby: various flaws [fedora-all]2018-10-25
CVE-2018-16396 — Improper Input Validation in Ruby | cvebase