CVE-2017-11465
Published: 19 July 2017
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.
Notes
Author | Note |
---|---|
sbeattie | affected ruby 2.4 and newer only |
Priority
Status
Package | Release | Status |
---|---|---|
ruby1.9.1 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
(trusty was not-affected [ruby 2.4+ only])
|
upstream |
Not vulnerable
(ruby 2.4+ only)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
(trusty was not-affected [ruby 2.4+ only])
|
upstream |
Not vulnerable
(ruby 2.4+ only)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
upstream |
Not vulnerable
(ruby 2.4+ only)
|
|
xenial |
Not vulnerable
(ruby 2.4+ only)
|
|
yakkety |
Not vulnerable
(ruby 2.4+ only)
|
|
zesty |
Not vulnerable
(ruby 2.4+ only)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |