Vulnerability Name: | CVE-2008-1891 (CCN-41824) | ||||||||
Assigned: | 2008-04-15 | ||||||||
Published: | 2008-04-15 | ||||||||
Updated: | 2017-08-08 | ||||||||
Summary: | Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. | ||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N) 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||
Vulnerability Type: | CWE-22 | ||||||||
Vulnerability Consequences: | Obtain Information | ||||||||
References: | Source: CCN Type: Luigi Auriemma Advisories, 15 Apr 2008 CGI source disclosure in WEBrick Source: MISC Type: UNKNOWN http://aluigi.altervista.org/adv/webrickcgi-adv.txt Source: MITRE Type: CNA CVE-2008-1891 Source: SUSE Type: UNKNOWN SUSE-SR:2008:017 Source: CCN Type: SA29794 Ruby WEBrick Information Disclosure Source: SECUNIA Type: Vendor Advisory 29794 Source: SECUNIA Type: UNKNOWN 30831 Source: SECUNIA Type: UNKNOWN 31687 Source: MANDRIVA Type: UNKNOWN MDVSA-2008:140 Source: MANDRIVA Type: UNKNOWN MDVSA-2008:141 Source: CCN Type: OSVDB ID: 44682 WEBrick in Ruby URI Multiple Encoded Traversal Arbitrary File Access Source: CCN Type: Ruby Programming Language Web site Ruby Programming Language Source: CONFIRM Type: UNKNOWN http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ Source: VUPEN Type: UNKNOWN ADV-2008-1245 Source: XF Type: UNKNOWN ruby-webrick-cgi-info-disclosure(41824) Source: XF Type: UNKNOWN ruby-webrick-cgi-info-disclosure(41824) Source: FEDORA Type: UNKNOWN FEDORA-2008-5649 Source: SUSE Type: SUSE-SR:2008:017 SUSE Security Summary Report | ||||||||
Vulnerable Configuration: | Configuration 1:![]() | ||||||||
Oval Definitions | |||||||||
| |||||||||
BACK |