Overview
Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code.
Description
Ruby is vulnerable to an attack on applications using the XML-RPC services via XMLRPC.iPIMethods, due to an insecure default value in utils.rb. Any program or application using the XML-RPC services provided by XMLRPC.iPIMethods may be affected. Due to the vulnerability occurring in code that is typically used to provide remote services, this may allow a remote attacker to execute arbitrary code. |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code. |
Solution
Apply an update Please see the Ruby XMLRPC.iPIMethods Vulnerability note for more information, or contact your vendor for an update. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://secunia.com/advisories/15767/
- http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064
- http://www.securityfocus.com/bid/14016
- https://rhn.redhat.com/errata/RHSA-2005-543.html
- http://www.auscert.org.au/5356
- http://www.auscert.org.au/5509
Acknowledgements
Thanks to Nobuhiro IMAI for reporting this vulnerability.
This document was written by Ken MacInnis.
Other Information
| CVE IDs: | CVE-2005-1992 |
| Severity Metric: | 9.11 |
| Date Public: | 2005-06-20 |
| Date First Published: | 2005-10-03 |
| Date Last Updated: | 2005-10-18 14:44 UTC |
| Document Revision: | 19 |