CVE-2011-1005
First published: Sun Feb 20 2011(Updated: )
A security flaw was found in the Ruby method, translating message of the exception into string representation. An attacker could use this flaw to modify arbitrary untainted strings into their tainted equivalents by tricking the safe level mechanism of this method. References: [1] <a href="http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/">http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/</a> Upstream patch (against ruby_1_8 branch): [2] <a href="http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903">http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby | =1.8.6 | |
| Ruby | =1.8.6-420 | |
| Ruby | =1.8.7 | |
| Ruby | =1.8.7-330 | |
| Ruby | =1.8.8-dev |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2011/02/21/2
- http://www.openwall.com/lists/oss-security/2011/02/21/5
- http://www.securityfocus.com/bid/46458
- http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
- https://bugzilla.redhat.com/show_bug.cgi?id=678920
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054422.html
- http://secunia.com/advisories/43420
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054436.html
- http://www.vupen.com/english/advisories/2011/0539
- http://osvdb.org/70957
- http://secunia.com/advisories/43573
- http://www.redhat.com/support/errata/RHSA-2011-0910.html
- http://www.redhat.com/support/errata/RHSA-2011-0908.html
- http://www.redhat.com/support/errata/RHSA-2011-0909.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:098
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:097
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://support.apple.com/kb/HT5281
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903
- https://access.redhat.com/security/cve/CVE-2011-1005
- https://rhn.redhat.com/errata/RHSA-2011-0908.html
- https://rhn.redhat.com/errata/RHSA-2011-0910.html
- https://rhn.redhat.com/errata/RHSA-2011-0909.html
Frequently Asked Questions
What is the severity of CVE-2011-1005?
CVE-2011-1005 has been classified as a moderate severity vulnerability.
How do I fix CVE-2011-1005?
To fix CVE-2011-1005, upgrade to a patched version of Ruby that addresses this security flaw.
Which Ruby versions are affected by CVE-2011-1005?
CVE-2011-1005 affects Ruby versions 1.8.6, 1.8.7, and 1.8.8-dev.
What is the impact of CVE-2011-1005?
The impact of CVE-2011-1005 allows an attacker to manipulate arbitrary untainted strings if they successfully exploit the flaw.
Is CVE-2011-1005 associated with any exploit techniques?
CVE-2011-1005 can be exploited using manipulation of the safe level mechanism within Ruby.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-1005
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/ruby-lang
- canonical/ruby
- version/ruby/1.8.6
- version/ruby/1.8.6-420
- version/ruby/1.8.7
- version/ruby/1.8.7-330
- version/ruby/1.8.8-dev