CVE-2019-15845Null Byte Interaction Error (Poison Null Byte) in Ruby

CWE-626Null Byte Interaction Error (Poison Null Byte)CWE-41Improper Resolution of Path Equivalence12 documents10 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 44.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ruby-lang RubyCanonical Ubuntu Linux
Timeline
PublishedNov 26
Latest updateMay 24

Description

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

Alpineruby-lang/ruby< 2.5.7-r0+16
NVDruby-lang/ruby2.4.02.4.7+2

Also affects: Ubuntu Linux 16.04, 18.04, 19.04, 19.10

🔴Vulnerability Details

4
GHSA
GHSA-x99v-c5pj-9m7r: Ruby through 22022-05-24
OSV
ruby2.3, ruby2.5 vulnerabilities2019-11-26
OSV
CVE-2019-15845: Ruby through 22019-11-26
CVEList
CVE-2019-15845: Ruby through 22019-11-26

📋Vendor Advisories

5
Oracle
Oracle Oracle GraalVM Risk Matrix: Interpreter and runtime (Ruby) — CVE-2019-158452020-01-15
Ubuntu
Ruby vulnerabilities2019-11-26
Microsoft
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.2019-11-12
Red Hat
ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?2019-10-01
Debian
CVE-2019-15845: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path...2019

💬Community

2
Bugzilla
CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? [fedora-all]2020-01-09
Bugzilla
CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?2020-01-09
CVE-2019-15845 — Ruby-lang Ruby vulnerability | cvebase