CVE-2018-16396
published 2018-11-16CVE-2018-16396: An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result…
PriorityP348high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
7.97%
94.0th percentile
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
| ruby-lang | ruby | >= 0 < 2.5.2-r0 | 2.5.2-r0 |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-11-05·CVSS 9.8
CVE-2018-16395 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain X.509
certificates. An attacker could possibly use this issue to
bypass the certificate check. (CVE-2018-16395)
It was discovered that Ruby incorrectly handled certain
inputs. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2018-16396)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
vendor_redhat·2018-10-17·CVSS 8.1
CVE-2018-16396 [HIGH] CWE-20 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
Statement: Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates.
Red Hat Virtualization includes a vulnerable version of ruby, however the affected functionality is not used in Red Hat Virtualization or any of its dependencies. A future update may address this issue.
Package: ruby (Red Hat Enterprise Linux 5) - Will
GHSA
GHSA-xh4x-ph6p-vmxh: An issue was discovered in Ruby before 2
ghsa_unreviewed·2022-05-13
CVE-2018-16396 [HIGH] GHSA-xh4x-ph6p-vmxh: An issue was discovered in Ruby before 2
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
OSV
CVE-2018-16396: An issue was discovered in Ruby before 2
osv·2018-11-16·CVSS 8.1
CVE-2018-16396 [HIGH] CVE-2018-16396: An issue was discovered in Ruby before 2
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
OSV
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities
osv·2018-11-05·CVSS 9.8
CVE-2018-16395 [CRITICAL] ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities
It was discovered that Ruby incorrectly handled certain X.509
certificates. An attacker could possibly use this issue to
bypass the certificate check. (CVE-2018-16395)
It was discovered that Ruby incorrectly handled certain
inputs. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2018-16396)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
bugzilla·2018-10-25·CVSS 8.1
CVE-2018-16396 [HIGH] CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
Array#pack method converts the receiver’s contents into a string with specified format. If the receiver contains some tainted objects, the returned string also should be tainted. String#unpack method which converts the receiver into an array also should propagate its tainted flag to the objects contained in the returned array. But, with B, b, H and h directives, the tainted flags are not propagated. So, if a script processes unreliable inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags, the check might be wrong.
External References:
https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pa
Bugzilla
CVE-2018-16395 CVE-2018-16396 ruby: various flaws [fedora-all]
bugzilla·2018-10-25·CVSS 9.8
CVE-2018-16395 [CRITICAL] CVE-2018-16395 CVE-2018-16396 ruby: various flaws [fedora-all]
CVE-2018-16395 CVE-2018-16396 ruby: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Whi
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttp://www.securitytracker.com/id/1042106https://access.redhat.com/errata/RHSA-2018:3729https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2019:2028https://hackerone.com/reports/385070https://lists.debian.org/debian-lts-announce/2018/10/msg00020.htmlhttps://security.netapp.com/advisory/ntap-20190221-0002/https://usn.ubuntu.com/3808-1/https://www.debian.org/security/2018/dsa-4332https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttp://www.securitytracker.com/id/1042106https://access.redhat.com/errata/RHSA-2018:3729https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2019:2028https://hackerone.com/reports/385070https://lists.debian.org/debian-lts-announce/2018/10/msg00020.htmlhttps://security.netapp.com/advisory/ntap-20190221-0002/https://usn.ubuntu.com/3808-1/https://www.debian.org/security/2018/dsa-4332https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/
2018-11-16
Published