vulnerability
Arch Linux: Insufficient validation (CVE-2019-15845)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:N/C:P/I:P/A:N) | Nov 26, 2019 | Jul 11, 2025 | Nov 27, 2025 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
Nov 26, 2019
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is vulnerable to NUL injection in built-in methods (File.fnmatch and File.fnmatch?). An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author.
The Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.
The Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.
Solution
arch-linux-upgrade-latest
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.