CVE-2019-15845
published 2019-11-26CVE-2019-15845: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
PriorityP433medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
3.29%
86.9th percentile
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | jruby | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_ruby_2.6.7-1_on_cbl_mariner_1.0 | — | — |
| ruby-lang | ruby | >= 0 < 2.5.7-r0 | 2.5.7-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.6.5-r0 | 2.6.5-r0 |
| ruby-lang | ruby | >= 0 < 2.4.10-r0 | 2.4.10-r0 |
| ruby-lang | ruby | >= 0 < 2.5.7-r0 | 2.5.7-r0 |
| ruby-lang | ruby | >= 0 < 2.5.7-r0 | 2.5.7-r0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv6.5MEDIUM
vendor_oracle9.8MEDIUM
vendor_debian6.5LOW
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle GraalVM Risk Matrix: Interpreter and runtime (Ruby) — CVE-2019-15845
vendor_oracle·2020-01-15·CVSS 9.8
CVE-2019-15845 [MEDIUM] Oracle Oracle GraalVM Risk Matrix: Interpreter and runtime (Ruby) — CVE-2019-15845
Oracle Oracle GraalVM Risk Matrix: Interpreter and runtime (Ruby) vulnerability
CVE: CVE-2019-15845
CVSS: 9.8
Protocol: Multiple
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2020 (JAN 2020)
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2019-11-26·CVSS 6.5
CVE-2019-15845 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this issue to pass path matching
what can lead to an unauthorized access. (CVE-2019-15845)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could use this issue to cause a denial of service.
(CVE-2019-16201)
It was discovered that Ruby incorrectly handled certain HTTP headers.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16254)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16255)
Instructions: In general, a standard system update will make all
Microsoft
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
vendor_msrc·2019-11-12·CVSS 6.5
CVE-2019-15845 [MEDIUM] Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required: Y
Red Hat
ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
vendor_redhat·2019-10-01·CVSS 6.5
CVE-2019-15845 [MEDIUM] CWE-626 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
A flaw was discovered in Ruby in the way certain functions handled strings containing NULL bytes. Specifically, the built-in methods File.fnmatch and its alias File.fnmatch? did not properly handle path patterns containing the NULL byte. A remote attacker could exploit this flaw to make a Ruby script access unexpected files and to bypass intended file system access restrictions.
Mitigation: It is possible to test for presence of the NULL byte manually prior to call the affected methods with an untrusted string.
Package: 3amp-system (Red Hat 3scale API Management Platform 2) - Will not fix
Package: r
Debian
CVE-2019-15845: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path...
vendor_debian·2019·CVSS 6.5
CVE-2019-15845 [MEDIUM] CVE-2019-15845: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path...
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
Scope: local
bookworm: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-x99v-c5pj-9m7r: Ruby through 2
ghsa_unreviewed·2022-05-24
CVE-2019-15845 [MEDIUM] GHSA-x99v-c5pj-9m7r: Ruby through 2
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
OSV
ruby2.3, ruby2.5 vulnerabilities
osv·2019-11-26·CVSS 6.5
CVE-2019-15845 [MEDIUM] ruby2.3, ruby2.5 vulnerabilities
ruby2.3, ruby2.5 vulnerabilities
It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this issue to pass path matching
what can lead to an unauthorized access. (CVE-2019-15845)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could use this issue to cause a denial of service.
(CVE-2019-16201)
It was discovered that Ruby incorrectly handled certain HTTP headers.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16254)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16255)
OSV
CVE-2019-15845: Ruby through 2
osv·2019-11-26·CVSS 6.5
CVE-2019-15845 [MEDIUM] CVE-2019-15845: Ruby through 2
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? [fedora-all]
bugzilla·2020-01-09·CVSS 6.5
CVE-2019-15845 [MEDIUM] CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? [fedora-all]
CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
bugzilla·2020-01-09·CVSS 6.5
CVE-2019-15845 [MEDIUM] CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
References:
https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
https://hackerone.com/reports/449617
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1789408]
---
Upstream fix:
https://github.com/ruby/ruby/commit/a0a2640b398cffd351f87d3f6243103add66575b
---
External References:
https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
---
Mitigation:
It is possible to test for presence of the NULL byte manually prior to call the affected methods with an untrusted string.
---
This
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.htmlhttps://hackerone.com/reports/449617https://lists.debian.org/debian-lts-announce/2019/11/msg00025.htmlhttps://seclists.org/bugtraq/2019/Dec/31https://seclists.org/bugtraq/2019/Dec/32https://security.gentoo.org/glsa/202003-06https://usn.ubuntu.com/4201-1/https://www.debian.org/security/2019/dsa-4587https://www.oracle.com/security-alerts/cpujan2020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.htmlhttps://hackerone.com/reports/449617https://lists.debian.org/debian-lts-announce/2019/11/msg00025.htmlhttps://seclists.org/bugtraq/2019/Dec/31https://seclists.org/bugtraq/2019/Dec/32https://security.gentoo.org/glsa/202003-06https://usn.ubuntu.com/4201-1/https://www.debian.org/security/2019/dsa-4587https://www.oracle.com/security-alerts/cpujan2020.html
2019-11-26
Published