CVE-2013-2065

Sažetak

(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.

Reference

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107064.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107098.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107120.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00057.html
http://www.ubuntu.com/usn/USN-2035-1
https://puppet.com/security/cve/cve-2013-2065
https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:N

Zadnje važnije ažuriranje

30-10-2018 - 16:27

Objavljeno

02-11-2013 - 19:55