First published: Fri Aug 08 2008(Updated: )
Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ruby | <0:1.8.1-7.el4_7.1 | 0:1.8.1-7.el4_7.1 |
redhat/ruby | <0:1.8.5-5.el5_2.5 | 0:1.8.5-5.el5_2.5 |
Ruby | =1.8.3-preview1 | |
Ruby | =1.8.2-preview4 | |
Ruby | =1.8.4-preview2 | |
Ruby | =1.8.1--9 | |
Ruby | =1.8.7-preview3 | |
Ruby | =1.8.7-p17 | |
Ruby | =1.9.0 | |
Ruby | =1.8.2-preview3 | |
Ruby | =1.8.6-p110 | |
Ruby | =1.8.5-p2 | |
Ruby | =1.8.5-preview5 | |
Ruby | =1.8.5-p12 | |
Ruby | =1.8.5-preview1 | |
Ruby | =1.8.7-p71 | |
Ruby | =1.8.4-preview1 | |
Ruby | =1.8.7-p22 | |
Ruby | =1.8.4 | |
Ruby | =1.8.3 | |
Ruby | <=1.8.5 | |
Ruby | =1.8.3-preview2 | |
Ruby | =1.8.2 | |
Ruby | =1.8.4-preview3 | |
Ruby | =1.8.7-preview2 | |
Ruby | =1.8.1 | |
Ruby | =1.8.2-preview2 | |
Ruby | =1.8.3-preview3 | |
Ruby | =1.8.6-preview1 | |
Ruby | =1.8.6-p114 | |
Ruby | =1.8.5-preview4 | |
Ruby | =1.8.5-preview2 | |
Ruby | =1.8.6-preview3 | |
Ruby | =1.8.0 | |
Ruby | =1.8.5-p11 | |
Ruby | =1.8.7 | |
Ruby | =1.6.8 | |
Ruby | =1.8.6-preview2 | |
Ruby | =1.8.5-p35 | |
Ruby | =1.8.5-p113 | |
Ruby | =1.8.5-p115 | |
Ruby | =1.8.7-preview1 | |
Ruby | =1.8.6 | |
Ruby | =1.8.7-preview4 | |
Ruby | =1.8.5-preview3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2008-3656 is classified as a denial of service vulnerability in Ruby's WEBrick server.
To fix CVE-2008-3656, upgrade to Ruby version 1.8.7-p72 or later.
CVE-2008-3656 affects Ruby versions 1.8.1 through 1.8.7-p71 and versions of Ruby 1.9 up to r18423.
Yes, CVE-2008-3656 can be exploited by context-dependent attackers to trigger denial of service remotely.
CVE-2008-3656 impacts the WEBrick::HTTPUtils.split_header_value function's ability to handle headers, leading to potential service downtime.