Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2008-2663

Disclosure Date: June 24, 2008 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

canonical,
debian,
ruby-lang

Products

debian linux 4.0,
ruby,
ubuntu linux 6.06,
ubuntu linux 7.04,
ubuntu linux 7.10,
ubuntu linux 8.04

References

Canonical

CVE-2008-2663 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663)

BID-29903 (http://www.securityfocus.com/bid/29903)

Advisory

http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html

XF-ruby-rbarystore-code-execution(43346) (https://exchange.xforce.ibmcloud.com/vulnerabilities/43346)

http://support.apple.com/kb/HT2163

SECUNIA-31090 (http://secunia.com/advisories/31090)

http://www.mandriva.com/security/advisories?name=MDVSA-2008:141

SECUNIA-30875 (http://secunia.com/advisories/30875)

ADV-2008-1981 (http://www.vupen.com/english/advisories/2008/1981/references)

ADV-2008-1907 (http://www.vupen.com/english/advisories/2008/1907/references)

DSA-1618 (http://www.debian.org/security/2008/dsa-1618)

SECUNIA-31687 (http://secunia.com/advisories/31687)

SECUNIA-30894 (http://secunia.com/advisories/30894)

SECUNIA-31062 (http://secunia.com/advisories/31062)

SECUNIA-31256 (http://secunia.com/advisories/31256)

20080626 rPSA-2008-0206-1 ruby (http://www.securityfocus.com/archive/1/493688/100/0/threaded)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10524

APPLE-SA-2008-06-30 (http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html)

SECTRACK-1020347 (http://www.securitytracker.com/id?1020347)

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206

FEDORA-2008-5649 (https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html)

http://www.mandriva.com/security/advisories?name=MDVSA-2008:140

SECUNIA-30802 (http://secunia.com/advisories/30802)

SECUNIA-30831 (http://secunia.com/advisories/30831)

http://www.redhat.com/support/errata/RHSA-2008-0561.html

https://issues.rpath.com/browse/RPL-2626

DSA-1612 (http://www.debian.org/security/2008/dsa-1612)

GLSA-200812-17 (http://security.gentoo.org/glsa/glsa-200812-17.xml)

SECUNIA-33178 (http://secunia.com/advisories/33178)

SECUNIA-30867 (http://secunia.com/advisories/30867)

http://www.mandriva.com/security/advisories?name=MDVSA-2008:142

http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities

USN-621-1 (http://www.ubuntu.com/usn/usn-621-1)

SECUNIA-31181 (http://secunia.com/advisories/31181)

Miscellaneous

http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities

http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562

http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html

http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

http://www.ruby-forum.com/topic/157034

http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue

Rapid7

Technical Analysis