CVE-2008-2662 - Vulnerability Details

Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Redhat	Enterprise Linux
Ruby-lang	Ruby

Configuration 1 [-]

OR	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:ruby::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:6.06::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:8.04::::lts:::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 4
ruby-0:1.8.1-7.el4_6.1	cpe:/o:redhat:enterprise_linux:4	RHSA-2008:0561	2008-07-14T00:00:00Z
Red Hat Enterprise Linux 5
ruby-0:1.8.5-5.el5_2.3	cpe:/o:redhat:enterprise_linux:5	RHSA-2008:0561	2008-07-14T00:00:00Z

References

Link	Providers
http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
http://secunia.com/advisories/30802
http://secunia.com/advisories/30831
http://secunia.com/advisories/30867
http://secunia.com/advisories/30875
http://secunia.com/advisories/30894
http://secunia.com/advisories/31062
http://secunia.com/advisories/31181
http://secunia.com/advisories/31256
http://secunia.com/advisories/31687
http://secunia.com/advisories/33178
http://security.gentoo.org/glsa/glsa-200812-17.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562
http://support.apple.com/kb/HT2163
http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206
http://www.debian.org/security/2008/dsa-1612
http://www.debian.org/security/2008/dsa-1618
http://www.mandriva.com/security/advisories?name=MDVSA-2008:140
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
http://www.redhat.com/support/errata/RHSA-2008-0561.html
http://www.ruby-forum.com/topic/157034
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/
http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html
http://www.securityfocus.com/archive/1/493688/100/0/threaded
http://www.securityfocus.com/bid/29903
http://www.securitytracker.com/id?1020347
http://www.ubuntu.com/usn/usn-621-1
http://www.vupen.com/english/advisories/2008/1907/references
http://www.vupen.com/english/advisories/2008/1981/references
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/43345
https://issues.rpath.com/browse/RPL-2626
https://nvd.nist.gov/vuln/detail/CVE-2008-2662
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601
https://www.cve.org/CVERecord?id=CVE-2008-2662
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-06-24T19:00:00

Updated: 2024-08-07T09:05:30.275Z

Reserved: 2008-06-10T00:00:00

Link: CVE-2008-2662

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-06-24T19:41:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-2662

Redhat

Severity : Moderate

Publid Date: 2008-06-20T00:00:00Z

Links: CVE-2008-2662 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-06-21T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "SUSE-SR:2008:017", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.apple.com/kb/HT2163"}, {"tags": ["x_refsource_MISC"], "url": "http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities"}, {"name": "MDVSA-2008:141", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:141"}, {"name": "30875", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30875"}, {"name": "ADV-2008-1981", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/1981/references"}, {"name": "ADV-2008-1907", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/1907/references"}, {"name": "DSA-1618", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1618"}, {"name": "31687", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31687"}, {"name": "30894", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30894"}, {"name": "31062", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31062"}, {"name": "31256", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31256"}, {"name": "20080626 rPSA-2008-0206-1 ruby", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/493688/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/"}, {"name": "SSA:2008-179-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE"], "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562"}, {"name": "APPLE-SA-2008-06-30", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"}, {"name": "1020347", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1020347"}, {"tags": ["x_refsource_MISC"], "url": "http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206"}, {"name": "oval:org.mitre.oval:def:11601", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601"}, {"name": "FEDORA-2008-5649", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html"}, {"name": "MDVSA-2008:140", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:140"}, {"name": "30802", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30802"}, {"name": "30831", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30831"}, {"name": "RHSA-2008:0561", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0561.html"}, {"name": "ruby-rbstrbufappend-code-execution(43345)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43345"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.rpath.com/browse/RPL-2626"}, {"name": "DSA-1612", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1612"}, {"name": "GLSA-200812-17", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200812-17.xml"}, {"name": "33178", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33178"}, {"name": "29903", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/29903"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html"}, {"name": "30867", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30867"}, {"name": "MDVSA-2008:142", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:142"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"}, {"tags": ["x_refsource_MISC"], "url": "http://www.ruby-forum.com/topic/157034"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/"}, {"name": "USN-621-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/usn-621-1"}, {"name": "31181", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31181"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-2662", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "SUSE-SR:2008:017", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html"}, {"name": "http://support.apple.com/kb/HT2163", "refsource": "CONFIRM", "url": "http://support.apple.com/kb/HT2163"}, {"name": "http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities", "refsource": "MISC", "url": "http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities"}, {"name": "MDVSA-2008:141", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:141"}, {"name": "30875", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30875"}, {"name": "ADV-2008-1981", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/1981/references"}, {"name": "ADV-2008-1907", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/1907/references"}, {"name": "DSA-1618", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2008/dsa-1618"}, {"name": "31687", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31687"}, {"name": "30894", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30894"}, {"name": "31062", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31062"}, {"name": "31256", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31256"}, {"name": "20080626 rPSA-2008-0206-1 ruby", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/493688/100/0/threaded"}, {"name": "http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/", "refsource": "MISC", "url": "http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/"}, {"name": "SSA:2008-179-01", "refsource": "SLACKWARE", "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562"}, {"name": "APPLE-SA-2008-06-30", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"}, {"name": "1020347", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1020347"}, {"name": "http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html", "refsource": "MISC", "url": "http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html"}, {"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206", "refsource": "CONFIRM", "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206"}, {"name": "oval:org.mitre.oval:def:11601", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601"}, {"name": "FEDORA-2008-5649", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html"}, {"name": "MDVSA-2008:140", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:140"}, {"name": "30802", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30802"}, {"name": "30831", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30831"}, {"name": "RHSA-2008:0561", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2008-0561.html"}, {"name": "ruby-rbstrbufappend-code-execution(43345)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43345"}, {"name": "https://issues.rpath.com/browse/RPL-2626", "refsource": "CONFIRM", "url": "https://issues.rpath.com/browse/RPL-2626"}, {"name": "DSA-1612", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2008/dsa-1612"}, {"name": "GLSA-200812-17", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200812-17.xml"}, {"name": "33178", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33178"}, {"name": "29903", "refsource": "BID", "url": "http://www.securityfocus.com/bid/29903"}, {"name": "http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html", "refsource": "MISC", "url": "http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html"}, {"name": "30867", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30867"}, {"name": "MDVSA-2008:142", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:142"}, {"name": "http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/", "refsource": "CONFIRM", "url": "http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"}, {"name": "http://www.ruby-forum.com/topic/157034", "refsource": "MISC", "url": "http://www.ruby-forum.com/topic/157034"}, {"name": "http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/", "refsource": "MISC", "url": "http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/"}, {"name": "USN-621-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/usn-621-1"}, {"name": "31181", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31181"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T09:05:30.275Z"}, "title": "CVE Program Container", "references": [{"name": "SUSE-SR:2008:017", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.apple.com/kb/HT2163"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities"}, {"name": "MDVSA-2008:141", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:141"}, {"name": "30875", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30875"}, {"name": "ADV-2008-1981", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/1981/references"}, {"name": "ADV-2008-1907", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/1907/references"}, {"name": "DSA-1618", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2008/dsa-1618"}, {"name": "31687", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31687"}, {"name": "30894", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30894"}, {"name": "31062", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31062"}, {"name": "31256", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31256"}, {"name": "20080626 rPSA-2008-0206-1 ruby", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/493688/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/"}, {"name": "SSA:2008-179-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE", "x_transferred"], "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562"}, {"name": "APPLE-SA-2008-06-30", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"}, {"name": "1020347", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1020347"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206"}, {"name": "oval:org.mitre.oval:def:11601", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601"}, {"name": "FEDORA-2008-5649", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html"}, {"name": "MDVSA-2008:140", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:140"}, {"name": "30802", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30802"}, {"name": "30831", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30831"}, {"name": "RHSA-2008:0561", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0561.html"}, {"name": "ruby-rbstrbufappend-code-execution(43345)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43345"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.rpath.com/browse/RPL-2626"}, {"name": "DSA-1612", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2008/dsa-1612"}, {"name": "GLSA-200812-17", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200812-17.xml"}, {"name": "33178", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33178"}, {"name": "29903", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/29903"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html"}, {"name": "30867", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30867"}, {"name": "MDVSA-2008:142", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:142"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.ruby-forum.com/topic/157034"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/"}, {"name": "USN-621-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/usn-621-1"}, {"name": "31181", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31181"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-2662", "datePublished": "2008-06-24T19:00:00", "dateReserved": "2008-06-10T00:00:00", "dateUpdated": "2024-08-07T09:05:30.275Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "D65BD5CD-5ECE-4294-B8E6-D0276FE8CC98", "versionEndIncluding": "1.8.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A289D5F-E8F3-4102-BF83-C63114DFE32C", "versionEndExcluding": "1.8.5.231", "versionStartExcluding": "1.8.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABA0AC75-6B7E-48BD-891F-3FB312B9BA25", "versionEndExcluding": "1.8.6.230", "versionStartIncluding": "1.8.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EDF7713-E20F-4EED-A323-98902450FD09", "versionEndExcluding": "1.8.7.22", "versionStartIncluding": "1.8.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DDF08CB-5F01-49ED-9DDB-ED39C8B0423E", "versionEndExcluding": "1.9.0.2", "versionStartIncluding": "1.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*", "matchCriteriaId": "5C18C3CD-969B-4AA3-AE3A-BA4A188F8BFF", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*", "matchCriteriaId": "6EBDAFF8-DE44-4E80-B6BD-E341F767F501", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*", "matchCriteriaId": "823BF8BE-2309-4F67-A5E2-EAD98F723468", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*", "matchCriteriaId": "C91D2DBF-6DA7-4BA2-9F29-8BD2725A4701", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change."}, {"lang": "es", "value": "M\u00faltiples desbordamientos de entero en la funci\u00f3n rb_str_buf_append de Ruby 1.8.4 y anteriores, 1.8.5 antes de 1.8.5-p231, 1.8.6 anterior a 1.8.6-p230, 1.8.7 anterior a 1.8.7-p22 y 1.9.0 antes de 1.9.0-2 permite a atacantes dependientes del contexto ejecutar c\u00f3digo de su elecci\u00f3n o provocar una denegaci\u00f3n de servicio mediante vectores desconocidos que disparan una corrupci\u00f3n de memoria, un problema distinto a CVE-2008-2663, CVE-2008-2664 y CVE-2008-2725. NOTA: a fecha de 24-06-2008, ha habido un uso inconsistente de m\u00faltiples identificadores CVE relacionados con Ruby. Esta descripci\u00f3n CVE debe ser tomada como autorizado, aunque probablemente cambie."}], "id": "CVE-2008-2662", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-06-24T19:41:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30802"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30831"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30867"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30875"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30894"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/31062"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/31181"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/31256"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/31687"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/33178"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://security.gentoo.org/glsa/glsa-200812-17.xml"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://support.apple.com/kb/HT2163"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2008/dsa-1612"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2008/dsa-1618"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:140"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:141"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:142"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0561.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ruby-forum.com/topic/157034"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/493688/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/29903"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id?1020347"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/usn-621-1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2008/1907/references"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2008/1981/references"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43345"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://issues.rpath.com/browse/RPL-2626"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30802"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30831"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30867"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30875"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30894"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/31062"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/31181"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/31256"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/31687"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/33178"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://security.gentoo.org/glsa/glsa-200812-17.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://support.apple.com/kb/HT2163"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2008/dsa-1612"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2008/dsa-1618"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:140"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:141"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:142"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0561.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ruby-forum.com/topic/157034"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/493688/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/29903"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id?1020347"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/usn-621-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2008/1907/references"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2008/1981/references"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43345"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://issues.rpath.com/browse/RPL-2626"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11601"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-189"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Drew Yao (Apple Product Security team) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2008:0561", "cpe": "cpe:/o:redhat:enterprise_linux:4", "package": "ruby-0:1.8.1-7.el4_6.1", "product_name": "Red Hat Enterprise Linux 4", "release_date": "2008-07-14T00:00:00Z"}, {"advisory": "RHSA-2008:0561", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "ruby-0:1.8.5-5.el5_2.3", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2008-07-14T00:00:00Z"}], "bugzilla": {"description": "ruby: Integer overflows in rb_str_buf_append()", "id": "450821", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=450821"}, "csaw": false, "cwe": "CWE-190", "details": ["Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change."], "name": "CVE-2008-2662", "public_date": "2008-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2008-2662\nhttps://nvd.nist.gov/vuln/detail/CVE-2008-2662"], "threat_severity": "Moderate"}

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object