CVE-2019-15845
First published: Tue Oct 01 2019(Updated: )
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-ruby25-ruby | <0:2.5.9-9.el7 | 0:2.5.9-9.el7 |
| redhat/rh-ruby26-ruby | <0:2.6.7-119.el7 | 0:2.6.7-119.el7 |
| Ruby-lang Ruby | >=2.4.0<=2.4.7 | |
| Ruby-lang Ruby | >=2.5.0<=2.5.6 | |
| Ruby-lang Ruby | >=2.6.0<=2.6.4 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| redhat/ruby | <2.4.8 | 2.4.8 |
| redhat/ruby | <2.5.7 | 2.5.7 |
| redhat/ruby | <2.6.5 | 2.6.5 |
| redhat/ruby | <2.7.0 | 2.7.0 |
| ubuntu/ruby2.3 | <2.3.1-2~ubuntu16.04.14 | 2.3.1-2~ubuntu16.04.14 |
| ubuntu/ruby2.5 | <2.5.1-1ubuntu1.6 | 2.5.1-1ubuntu1.6 |
| ubuntu/ruby2.5 | <2.5.5-1ubuntu1.1 | 2.5.5-1ubuntu1.1 |
| ubuntu/ruby2.5 | <2.5.5-4ubuntu2.1 | 2.5.5-4ubuntu2.1 |
| ubuntu/ruby2.5 | <2.5.7-1 | 2.5.7-1 |
| debian/jruby | 9.3.9.0+ds-8 9.4.8.0+ds-1 |
Remedy
It is possible to test for presence of the NULL byte manually prior to call the affected methods with an untrusted string.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-15845 https://nvd.nist.gov/vuln/detail/CVE-2019-15845 https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
- https://bugzilla.redhat.com/show_bug.cgi?id=1789407
- https://access.redhat.com/errata/RHSA-2021:2587
- https://access.redhat.com/errata/RHSA-2021:2588
- https://access.redhat.com/errata/RHSA-2022:0581
- https://access.redhat.com/errata/RHSA-2022:0582
- https://access.redhat.com/errata/RHSA-2021:2104
- https://access.redhat.com/errata/RHSA-2021:2230
- https://access.redhat.com/security/cve/cve-2019-15845
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
- https://hackerone.com/reports/449617
- https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
- https://seclists.org/bugtraq/2019/Dec/31
- https://seclists.org/bugtraq/2019/Dec/32
- https://security.gentoo.org/glsa/202003-06
- https://usn.ubuntu.com/4201-1/
- https://www.debian.org/security/2019/dsa-4587
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://launchpad.net/bugs/cve/CVE-2019-15845
- https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1789408
- https://github.com/ruby/ruby/commit/a0a2640b398cffd351f87d3f6243103add66575b
- https://security-tracker.debian.org/tracker/CVE-2019-15845
- https://ubuntu.com/security/notices/USN-4201-1
- https://www.cve.org/CVERecord?id=CVE-2019-15845
- https://nvd.nist.gov/vuln/detail/CVE-2019-15845
- https://github.com/ruby/ruby/commit/02ea1fdfc70b01189574a4a640eec3c9c81d2417
- https://ubuntu.com/security/CVE-2019-15845
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2019-15845.
What is the severity level of CVE-2019-15845?
The severity level of CVE-2019-15845 is medium.
Which software versions are affected by this vulnerability?
The affected software versions are Ruby 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4.
How can an attacker exploit this vulnerability?
An attacker can exploit this vulnerability by making a Ruby script process a specially crafted path pattern containing a NULL byte.
Where can I find more information about CVE-2019-15845?
More information about CVE-2019-15845 can be found at the following references: [Link 1](https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/), [Link 2](https://hackerone.com/reports/449617), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1789408).
- collector/redhat-cve
- collector/nvd-index
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-15845
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/tags
- agent/softwarecombine
- agent/trending
- package-manager/redhat
- vendor/ruby-lang
- canonical/ruby-lang ruby
- version/ruby-lang ruby/2.4.0
- version/ruby-lang ruby/2.4.7
- version/ruby-lang ruby/2.5.0
- version/ruby-lang ruby/2.5.6
- version/ruby-lang ruby/2.6.0
- version/ruby-lang ruby/2.6.4
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- version/canonical ubuntu linux/19.10
- package-manager/ubuntu
- package-manager/debian