CVE-2018-8777

CVE-2018-8777

Name

CVE-2018-8777

Description

In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
Patch	https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/
Patch	https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/
Patch	https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/
Vendor Advisory	https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
Third Party Advisory	http://www.securityfocus.com/bid/103683
Mailing List	https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
Third Party Advisory	https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
Third Party Advisory	https://usn.ubuntu.com/3685-1/
Mailing List	https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory	https://www.debian.org/security/2018/dsa-4259
Third Party Advisory	http://www.securitytracker.com/id/1042004
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3731
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3730
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3729
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
REDHAT	https://access.redhat.com/errata/RHSA-2019:2028
REDHAT	https://access.redhat.com/errata/RHSA-2020:0542
REDHAT	https://access.redhat.com/errata/RHSA-2020:0591
REDHAT	https://access.redhat.com/errata/RHSA-2020:0663

Type

URI

Patch

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/

Patch

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/

Patch

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/

Patch

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/

Vendor Advisory

https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/

Third Party Advisory

http://www.securityfocus.com/bid/103683

Mailing List

https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html

Third Party Advisory

https://usn.ubuntu.com/3685-1/

Mailing List

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

Third Party Advisory

https://www.debian.org/security/2018/dsa-4259

Third Party Advisory

http://www.securitytracker.com/id/1042004

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3731

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3730

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3729

SUSE

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html

REDHAT

https://access.redhat.com/errata/RHSA-2019:2028

REDHAT

https://access.redhat.com/errata/RHSA-2020:0542

REDHAT

https://access.redhat.com/errata/RHSA-2020:0591

REDHAT

https://access.redhat.com/errata/RHSA-2020:0663

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.2.0	< 2.2.10
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.4.0	< 2.4.4
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.5.0	< 2.5.1
`cpe:2.3:a:ruby-lang:ruby:2.6.0:preview1::::::`	ruby	== None	== 2.6.0
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.3.0	< 2.3.7

CPE URI

Source package

Min version

Max version

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.2.0

< 2.2.10

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.4.0

< 2.4.4

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.5.0

< 2.5.1

cpe:2.3:a:ruby-lang:ruby:2.6.0:preview1:*:*:*:*:*:*

ruby

== None

== 2.6.0

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.3.0

< 2.3.7

References

Match rules

Vulnerable and fixed packages