Main Vulnerability Database Vulnerabilities #VU39950

#VU39950 Input validation error in Ruby - CVE-2016-2336

Published: January 6, 2017 / Updated: August 9, 2020

Vulnerability identifier: #VU39950

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-2336

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ruby

Software vendor:
Ruby

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution. <a href="http://cwe.mitre.org/data/definitions/843.html">CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')</a>

Remediation

Install update from vendor's website.

External links

http://www.talosintelligence.com/reports/TALOS-2016-0029/

#VU39950 Input validation error in Ruby - CVE-2016-2336

Description

Remediation

External links

Please verify you're human