CVE-2018-8777
published 2018-04-03CVE-2018-8777: In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted…
PriorityP339high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
4.64%
90.6th percentile
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_high_sierra_10.13.6_security_update_2018-004_sierra_security_update_2018-0 | — | — |
| apple | macos_mojave_10.14.1_security_update_2018-002_high_sierra_security_update_2018-0 | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv9.1CRITICAL
vendor_ubuntu9.1CRITICAL
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apple macOS up to 10.14.0 Ruby resource consumption (HT209193 / Nessus ID 111081)
vuldb·2026-05-10·CVSS 7.5
CVE-2018-8777 [HIGH] Apple macOS up to 10.14.0 Ruby resource consumption (HT209193 / Nessus ID 111081)
A vulnerability labeled as critical has been found in Apple macOS up to 10.14.0. This affects an unknown function of the component Ruby. Such manipulation leads to resource consumption.
This vulnerability is uniquely identified as CVE-2018-8777. The attack can be launched remotely. No exploit exists.
The affected component should be upgraded.
VulDB
Ruby up to 2.2.9/2.3.6/2.4.3/2.5.0 WEBrick Server HTTP Request resource management (USN-3685-1 / Nessus ID 110551)
vuldb·2026-05-10·CVSS 7.5
CVE-2018-8777 [HIGH] Ruby up to 2.2.9/2.3.6/2.4.3/2.5.0 WEBrick Server HTTP Request resource management (USN-3685-1 / Nessus ID 110551)
A vulnerability labeled as problematic has been found in Ruby up to 2.2.9/2.3.6/2.4.3/2.5.0. Affected is an unknown function of the component WEBrick Server. Such manipulation as part of HTTP Request leads to improper resource management.
This vulnerability is traded as CVE-2018-8777. The attack may be launched remotely. There is no exploit available.
The affected component should be upgraded.
GHSA
GHSA-9j6f-82h4-9mw2: In Ruby before 2
ghsa_unreviewed·2022-05-14
CVE-2018-8777 [HIGH] CWE-400 GHSA-9j6f-82h4-9mw2: In Ruby before 2
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
OSV
ruby2.0 regression
osv·2021-03-25·CVSS 9.1
CVE-2017-0903 [CRITICAL] ruby2.0 regression
ruby2.0 regression
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls.
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
osv·2018-06-13·CVSS 9.1
CVE-2017-0898 [CRITICAL] ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker could use this to possibly execute arb
OSV
CVE-2018-8777: In Ruby before 2
osv·2018-04-03·CVSS 7.5
CVE-2018-8777 [HIGH] CVE-2018-8777: In Ruby before 2
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
Ubuntu
Ruby regression
vendor_ubuntu·2021-03-25·CVSS 9.1
CVE-2017-0903 [CRITICAL] Ruby regression
Title: Ruby regression
Summary: USN-3685-1 introduced a regression in Ruby.
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
Apple
CVE-2018-8777: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
vendor_apple·2018-10-30·CVSS 7.5
CVE-2018-8777 [HIGH] CVE-2018-8777: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Apple Security Update: About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Product: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
CVE: CVE-2018-8777
Component: CVE-2018-8777
Apple
CVE-2018-8777: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
vendor_apple·2018-07-09·CVSS 7.5
CVE-2018-8777 [HIGH] CVE-2018-8777: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
Product: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
CVE: CVE-2018-8777
Component: CVE-2018-8777
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-06-13·CVSS 9.1
CVE-2017-0898 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker
Red Hat
ruby: DoS by large request in WEBrick
vendor_redhat·2018-03-28·CVSS 7.5
CVE-2018-8777 [HIGH] CWE-400 ruby: DoS by large request in WEBrick
ruby: DoS by large request in WEBrick
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
It was found that WEBrick could be forced to use an excessive amount of memory during the processing of HTTP requests, leading to a Denial of Service. An attacker could use this flaw to send huge requests to a WEBrick application, resulting in the server running out of memory.
Statement: This issue affects the versions of ruby as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may addres
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-8777 ruby: DoS by large request in WEBrick
bugzilla·2018-03-29·CVSS 7.5
CVE-2018-8777 [HIGH] CVE-2018-8777 ruby: DoS by large request in WEBrick
CVE-2018-8777 ruby: DoS by large request in WEBrick
If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.
Affected versions:
Ruby 2.2 series: 2.2.9 and earlier
Ruby 2.3 series: 2.3.6 and earlier
Ruby 2.4 series: 2.4.3 and earlier
Ruby 2.5 series: 2.5.0 and earlier
External References:
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1561957]
---
Statement:
This issue affects the versions of ruby as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. F
Bugzilla
CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
bugzilla·2018-03-29·CVSS 5.3
CVE-2017-17742 [MEDIUM] CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttp://www.securityfocus.com/bid/103683http://www.securitytracker.com/id/1042004https://access.redhat.com/errata/RHSA-2018:3729https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2019:2028https://access.redhat.com/errata/RHSA-2020:0542https://access.redhat.com/errata/RHSA-2020:0591https://access.redhat.com/errata/RHSA-2020:0663https://lists.debian.org/debian-lts-announce/2018/04/msg00023.htmlhttps://lists.debian.org/debian-lts-announce/2018/04/msg00024.htmlhttps://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://usn.ubuntu.com/3685-1/https://www.debian.org/security/2018/dsa-4259https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttp://www.securityfocus.com/bid/103683http://www.securitytracker.com/id/1042004https://access.redhat.com/errata/RHSA-2018:3729https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2019:2028https://access.redhat.com/errata/RHSA-2020:0542https://access.redhat.com/errata/RHSA-2020:0591https://access.redhat.com/errata/RHSA-2020:0663https://lists.debian.org/debian-lts-announce/2018/04/msg00023.htmlhttps://lists.debian.org/debian-lts-announce/2018/04/msg00024.htmlhttps://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://usn.ubuntu.com/3685-1/https://www.debian.org/security/2018/dsa-4259https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
2018-04-03
Published