Vulnerability Description
The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ruby-Lang | Ruby | 1.9.3 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090235.ht
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090515.ht
- http://rhn.redhat.com/errata/RHSA-2013-0129.html
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37163
- http://www.openwall.com/lists/oss-security/2012/10/12/6
- http://www.openwall.com/lists/oss-security/2012/10/13/1
- http://www.openwall.com/lists/oss-security/2012/10/16/1
- http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090235.ht
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090515.ht
- http://rhn.redhat.com/errata/RHSA-2013-0129.html
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37163
- http://www.openwall.com/lists/oss-security/2012/10/12/6
- http://www.openwall.com/lists/oss-security/2012/10/13/1
- http://www.openwall.com/lists/oss-security/2012/10/16/1
FAQ
What is CVE-2012-4522?
CVE-2012-4522 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected ...
How severe is CVE-2012-4522?
CVE-2012-4522 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-4522?
Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Ruby.