First published: Fri Apr 18 2008(Updated: )
Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Ruby | <=1.9.0 | |
Ruby | =1.8.5 | |
Ruby | =1.8.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2008-1891 is considered a critical vulnerability due to its potential to allow unauthorized reading of sensitive files.
To fix CVE-2008-1891, upgrade Ruby to version 1.8.5-p231, 1.8.6-p230, 1.8.7-p22, or any version above 1.9.0-2.
CVE-2008-1891 affects Ruby versions 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2.
CVE-2008-1891 can potentially expose arbitrary CGI files to remote attackers due to the directory traversal vulnerability.
Yes, CVE-2008-1891 notably affects systems utilizing NTFS or FAT filesystems, allowing exploitative access to files.