CVE-2008-4310
First published: Thu Nov 06 2008(Updated: )
Common Vulnerabilities and Exposures assigned an identifier <a href="https://access.redhat.com/security/cve/CVE-2008-3656">CVE-2008-3656</a> to the following vulnerability: Algorithmic complexity vulnerability in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.5 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression. Refences: <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401</a> <a href="http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/">http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/</a> Vincent Danen from LinSec discovered the original patch for this flaw, provided by Red Hat, did not properly address this flaw.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby-lang Ruby | =1.8.1 | |
| Ruby-lang Ruby | =1.8.5 | |
| redhat/ruby | <0:1.8.1-7.el4_7.2 | 0:1.8.1-7.el4_7.2 |
| redhat/ruby | <0:1.8.5-5.el5_2.6 | 0:1.8.5-5.el5_2.6 |
| rubygems/webrick | <1.3.1 | 1.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://secunia.com/advisories/33013
- http://www.openwall.com/lists/oss-security/2008/12/04/2
- http://www.redhat.com/support/errata/RHSA-2008-0981.html
- https://bugzilla.redhat.com/show_bug.cgi?id=470252
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10250
- https://access.redhat.com/security/cve/CVE-2008-3656
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401
- http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=322718&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=322718&action=edit
- https://access.redhat.com/security/cve/CVE-2008-4310
- http://rhn.redhat.com/errata/RHSA-2008-0981.html
- https://www.cve.org/CVERecord?id=CVE-2008-4310 https://nvd.nist.gov/vuln/detail/CVE-2008-4310
- https://access.redhat.com/errata/RHSA-2008:0981
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-4310.json
- https://nvd.nist.gov/vuln/detail/CVE-2008-4310
- https://github.com/ruby/webrick/commit/b2ccd5ff7ddd67a4548299e110dcc5a4728a5534
- https://web.archive.org/web/20111230125610/http://secunia.com/advisories/33013
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2008-4310.yml
- https://github.com/advisories/GHSA-wfrc-r6c6-7j9r (Advisory)
- collector/nvd-index
- collector/nvd-historical
- collector/nvd-api
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-4310
- agent/severity
- collector/redhat-cve
- agent/software-canonical-lookup
- agent/weakness
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wfrc-r6c6-7j9r
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/ruby-lang
- canonical/ruby-lang ruby
- version/ruby-lang ruby/1.8.1
- version/ruby-lang ruby/1.8.5
- package-manager/redhat
- package-manager/rubygems