Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-8780

It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script.

Source

It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script.

Find out more about CVE-2018-8780 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of ruby as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of ruby as shipped with Red Hat Subscription Asset Manager 1. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

CVSS v3 metrics

CVSS3 Base Score	6.5
CVSS3 Base Metrics	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity Impact	Low
Availability Impact	None

Red Hat Security Errata

Platform	Errata	Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby24-ruby)	RHSA-2018:3730	2018-11-29
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby23-ruby)	RHSA-2018:3729	2018-11-29
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby23-ruby)	RHSA-2018:3729	2018-11-29
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby24-ruby)	RHSA-2018:3730	2018-11-29
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby25-ruby)	RHSA-2018:3731	2018-11-29

Affected Packages State

Platform	Package	State
Red Hat Subscription Asset Manager 1	ruby193-ruby	Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux	rh-ruby22-ruby	Will not fix
Red Hat Enterprise Linux 7	ruby	Affected
Red Hat Enterprise Linux 6	ruby	Will not fix
Red Hat Enterprise Linux 5	ruby	Will not fix

Mitigation

It is possible to test for presence of the NULL byte manually prior to call a Dir method with an untrusted string.

External References

https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2018-8780

Statement

CVSS v3 metrics

Red Hat Security Errata

Affected Packages State

Mitigation

External References

Vulmon Search

About

Products

Connect