Описание
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-8779
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/errata/RHSA-2019:2028
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://usn.ubuntu.com/3626-1
- https://www.debian.org/security/2018/dsa-4259
- https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- http://www.securityfocus.com/bid/103767
- http://www.securitytracker.com/id/1042004
Связанные уязвимости
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x b ...
Уязвимость методов UNIXServer.open и UNIXSocket.open интерпретатора языка программирования Ruby, позволяющая нарушителю обойти ограничения безопасности