CVE-2018-8779Improper Input Validation in Ruby

CWE-20Improper Input ValidationCWE-626Null Byte Interaction Error (Poison Null Byte)12 documents8 sources
Severity
7.5HIGHNVD
EPSS
1.3%
top 20.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ruby-lang RubyCanonical Ubuntu LinuxDebian Linux
Timeline
PublishedApr 3
Latest updateMay 14

Description

In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDruby-lang/ruby2.2.02.2.10+4
Alpineruby-lang/ruby< 2.5.1-r0+19

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10

Patches

Patch: www.ruby-lang.orgPatch: www.ruby-lang.orgPatch: www.ruby-lang.org

🔴Vulnerability Details

5
GHSA
GHSA-mwq4-948j-88c5: In Ruby before 22022-05-14
OSV
libtirpc vulnerabilities2018-09-05
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities2018-04-16
OSV
CVE-2018-8779: In Ruby before 22018-04-03
CVEList
CVE-2018-8779: In Ruby before 22018-04-03

📋Vendor Advisories

4
Apple
CVE-2018-8779: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra2018-10-30
Apple
CVE-2018-8779: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan2018-07-09
Ubuntu
Ruby vulnerabilities2018-04-16
Red Hat
ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket2018-03-28

💬Community

2
Bugzilla
CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket2018-03-29
Bugzilla
CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]2018-03-29
CVE-2018-8779 — Improper Input Validation in Ruby | cvebase