vulnerability
Oracle Linux: CVE-2017-14064: ELSA-2018-0378: ruby security update (IMPORTANT) (Multiple Advisories)
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
5 | (AV:N/AC:H/Au:N/C:C/I:N/A:N) | Mar 2, 2017 | Mar 1, 2018 | Nov 29, 2024 |
Severity
5
CVSS
(AV:N/AC:H/Au:N/C:C/I:N/A:N)
Published
Mar 2, 2017
Added
Mar 1, 2018
Modified
Nov 29, 2024
Description
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.
A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory.
A buffer overflow vulnerability was found in the JSON extension of ruby. An attacker with the ability to pass a specially crafted JSON input to the extension could use this flaw to expose the interpreter's heap memory.
Solution(s)
oracle-linux-upgrade-rubyoracle-linux-upgrade-ruby-develoracle-linux-upgrade-ruby-docoracle-linux-upgrade-rubygem-bigdecimaloracle-linux-upgrade-rubygem-io-consoleoracle-linux-upgrade-rubygem-jsonoracle-linux-upgrade-rubygem-minitestoracle-linux-upgrade-rubygem-psychoracle-linux-upgrade-rubygem-rakeoracle-linux-upgrade-rubygem-rdocoracle-linux-upgrade-rubygemsoracle-linux-upgrade-rubygems-develoracle-linux-upgrade-ruby-irboracle-linux-upgrade-ruby-libsoracle-linux-upgrade-ruby-tcltk

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.