CVE-2018-8779

CVE-2018-8779

Name

CVE-2018-8779

Description

In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
Patch	https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/
Patch	https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/
Patch	https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/
Vendor Advisory	https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
Third Party Advisory	https://usn.ubuntu.com/3626-1/
Third Party Advisory	http://www.securityfocus.com/bid/103767
Third Party Advisory	https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
Mailing List	https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
Mailing List	https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory	https://www.debian.org/security/2018/dsa-4259
Third Party Advisory	http://www.securitytracker.com/id/1042004
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3731
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3730
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3729
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
REDHAT	https://access.redhat.com/errata/RHSA-2019:2028

Type

URI

Patch

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/

Patch

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/

Patch

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/

Patch

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/

Vendor Advisory

https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/

Third Party Advisory

https://usn.ubuntu.com/3626-1/

Third Party Advisory

http://www.securityfocus.com/bid/103767

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html

Mailing List

https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html

Mailing List

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

Third Party Advisory

https://www.debian.org/security/2018/dsa-4259

Third Party Advisory

http://www.securitytracker.com/id/1042004

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3731

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3730

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3729

SUSE

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html

REDHAT

https://access.redhat.com/errata/RHSA-2019:2028

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:ruby-lang:ruby:2.6.0:preview1::::::`	ruby	== None	== 2.6.0
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.3.0	< 2.3.7
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.5.0	< 2.5.1
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.2.0	< 2.2.10
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.4.0	< 2.4.4

CPE URI

Source package

Min version

Max version

cpe:2.3:a:ruby-lang:ruby:2.6.0:preview1:*:*:*:*:*:*

ruby

== None

== 2.6.0

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.3.0

< 2.3.7

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.5.0

< 2.5.1

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.2.0

< 2.2.10

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.4.0

< 2.4.4

References

Match rules

Vulnerable and fixed packages