7.5
CVSSv2

CVE-2018-10199

Published: 18/04/2018 Updated: 22/05/2018
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

In versions of mruby up to and including 1.4.0, a use-after-free vulnerability exists in src/io.c::File#initilialize_copy(). An attacker that can cause Ruby code to be run can possibly use this to execute arbitrary code.

Affected Products

Vendor Product Versions
MrubyMruby1.4.0

Vendor Advisories

Debian Bug report logs - #896021 mruby: CVE-2018-10199: Use after free in File#initilialize_copy Package: src:mruby; Maintainer for src:mruby is Nobuhiro Iwamatsu <iwamatsu@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 18 Apr 2018 19:33:02 UTC Severity: grave Tags: patch, security, ups ...
Debian Bug report logs - #896020 mruby: CVE-2018-10191: Use after free caused by integer overflow in environment stack Package: src:mruby; Maintainer for src:mruby is Nobuhiro Iwamatsu <iwamatsu@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 18 Apr 2018 19:21:02 UTC Severity: grave Tags ...