Vulnerability Note VU#684913

Ruby library contains vulnerable default value

Original Release date: 03 Oct 2005 | Last revised: 18 Oct 2005


Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code.


Ruby is vulnerable to an attack on applications using the XML-RPC services via XMLRPC.iPIMethods, due to an insecure default value in utils.rb. Any program or application using the XML-RPC services provided by XMLRPC.iPIMethods may be affected. Due to the vulnerability occurring in code that is typically used to provide remote services, this may allow a remote attacker to execute arbitrary code.


A remote, unauthenticated attacker may be able to execute arbitrary code.


Apply an update

Please see the Ruby XMLRPC.iPIMethods Vulnerability note for more information, or contact your vendor for an update.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Red Hat, Inc.Affected-18 Oct 2005
RubyAffected-03 Oct 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Nobuhiro IMAI for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

  • CVE IDs: CAN-2005-1992
  • Date Public: 20 Jun 2005
  • Date First Published: 03 Oct 2005
  • Date Last Updated: 18 Oct 2005
  • Severity Metric: 9.11
  • Document Revision: 19


If you have feedback, comments, or additional information about this vulnerability, please send us email.