Main Vulnerability Database Vulnerabilities #VU39950

Input validation error in Ruby - CVE-2016-2336

Published: January 6, 2017 / Updated: August 9, 2020

Vulnerability identifier: #VU39950

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-2336

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ruby

Affected software:
Ruby

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution. <a href="http://cwe.mitre.org/data/definitions/843.html">CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')</a>

How to mitigate CVE-2016-2336

Install update from vendor's website.

Sources

http://www.talosintelligence.com/reports/TALOS-2016-0029/

Input validation error in Ruby - CVE-2016-2336

Detailed vulnerability description

How to mitigate CVE-2016-2336

Sources

Please verify you're human