Permissions, Privileges, and Access Controls in Opensuse and Ruby - CVE-2013-2065
Published: November 2, 2013 / Updated: August 10, 2020
Vulnerability identifier: #VU42404
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-2065
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Opensuse
Ruby
Opensuse
Ruby
Software vendor:
SUSE
Ruby
SUSE
Ruby
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.
Remediation
Install update from vendor's website.
External links
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107064.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107098.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107120.html
- http://lists.opensuse.org/opensuse-updates/2013-10/msg00057.html
- http://www.ubuntu.com/usn/USN-2035-1
- https://puppet.com/security/cve/cve-2013-2065
- https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/