Published: 02/11/2013 Updated: 30/10/2018

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

(1) DL and (2) Fiddle in Ruby 1.9 prior to 1.9.3 patchlevel 426, and 2.0 prior to 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent malicious users to bypass intended $SAFE level restrictions.

Vulnerable Product	Search on Vulmon	Subscribe to Product
opensuse opensuse 12.2
opensuse opensuse 12.3
ruby-lang ruby 2.0.0
ruby-lang ruby 1.9.3
ruby-lang ruby 1.9.1
ruby-lang ruby 1.9.2
ruby-lang ruby 1.9
ruby-lang ruby 2.0

Several security issues were fixed in Ruby ...

(1) DL and (2) Fiddle in Ruby 19 before 193 patchlevel 426, and 20 before 200 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions ...

CWE-264 https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/http://lists.opensuse.org/opensuse-updates/2013-10/msg00057.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107064.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107120.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107098.html https://puppet.com/security/cve/cve-2013-2065 http://www.ubuntu.com/usn/USN-2035-1 https://usn.ubuntu.com/2035-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2013-2065

CVE-2013-2065

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect