CVE-2018-8779
Public on 2018-04-03
Modified on 2019-08-27
Description
It was found that the UNIXSocket::open and UNIXServer::open ruby methods did not handle the NULL byte properly. An attacker, able to inject NULL bytes in the socket path, could possibly trigger an unspecified behavior of the ruby script.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | ruby | 2019-08-23 | ALAS2-2019-1276 | Fixed |
| Amazon Linux 1 | ruby20 | 2018-04-04 | ALAS-2018-983 | Fixed |
| Amazon Linux 1 | ruby22 | 2018-04-04 | ALAS-2018-983 | Fixed |
| Amazon Linux 1 | ruby23 | 2018-04-04 | ALAS-2018-983 | Fixed |
| Amazon Linux 1 | ruby24 | 2018-04-04 | ALAS-2018-983 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.7 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |