Vulnerability Details : CVE-2011-4815
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Vulnerability category: Input validationDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2011-4815
Probability of exploitation activity in the next 30 days: 2.02%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 87 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2011-4815
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST |
CWE ids for CVE-2011-4815
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-4815
-
http://www.nruns.com/_downloads/advisory28122011.pdf
Best 7 Best Internet Security Software in 2019
-
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
Apple - Lists.apple.com
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/72020
Ruby hash denial of service CVE-2011-4815 Vulnerability Report
-
http://support.apple.com/kb/HT5281
About the security content of OS X Lion v10.7.4 and Security Update 2012-002 - Apple Support
-
http://www.kb.cert.org/vuls/id/903934
VU#903934 - Hash table implementations vulnerable to algorithmic complexity attacksUS Government Resource
- http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
-
http://www.ocert.org/advisories/ocert-2011-003.html
oCERT archive
-
http://www.securitytracker.com/id?1026474
Ruby Hash Table Collision Bug Lets Remote Users Deny Service - SecurityTracker
-
http://rhn.redhat.com/errata/RHSA-2012-0070.html
RHSA-2012:0070 - Security Advisory - Red Hat Customer Portal
-
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/391606
[ANN] ruby 1.8.7 patchlevel 357 released
-
http://www.ruby-lang.org/en/news/2011/12/28/denial-of-service-attack-was-found-for-rubys-hash-algorithm/
404: Not Found
-
http://rhn.redhat.com/errata/RHSA-2012-0069.html
RHSA-2012:0069 - Security Advisory - Red Hat Customer Portal
-
http://jvndb.jvn.jp/ja/contents/2012/JVNDB-2012-000066.html
JVNDB-2012-000066 - JVN iPedia - 脆弱性対策情報データベース
-
http://jvn.jp/en/jp/JVN90615481/index.html
JVN#90615481: Ruby hash table implementation vulnerable to denial-of-service
Products affected by CVE-2011-4815
- cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.8.7-p334:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.8.7-p330:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.8.7-p302:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:1.8.7-p299:*:*:*:*:*:*:*