#VU8123 Information disclosure in RubyGems


Published: 2017-09-06 | Updated: 2017-09-15

Vulnerability identifier: #VU8123

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-14064

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
RubyGems
Universal components / Libraries / Libraries used by multiple products

Vendor: Ruby

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an issue with using strdup in ext/json/ext/generator/generator.c during a JSON generate call. A remote attacker can send a specially crafted request, stop strdup after encountering a '' byte, returning a pointer to a string of length zero, which is not the length stored in space_len and expose arbitrary memory.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation
Update to version 2.3.5 or 2.4.2.

Vulnerable software versions

RubyGems: 2.2.7 - 2.4.1

External links
http://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Data Protection Search
Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance
Ubuntu update for ruby2.0
Information disclosure in prayer (Alpine package)
Multiple vulnerabilities in Apple MacOS
Red Hat Software Collections update for rh-ruby23-ruby
Red Hat Software Collections update for rh-ruby22-ruby
Red Hat update for ruby
Ubuntu update for Ruby
Red Hat update for ruby