Lucene search

[email protected]CVE-2008-1145

HistoryMar 04, 2008 - 11:44 p.m.

CVE-2008-1145

2008-03-0423:44:00

CWE-22

[email protected]

web.nvd.nist.gov

148

cve-2008-1145

directory traversal

vulnerability

webrick

ruby

remote attackers

arbitrary file access

nondisclosurename

backslash

case-insensitive file names

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.22 Low

EPSS

Percentile

96.5%

JSON

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) “…%5c” (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.

Affected configurations

NVD

Node

ruby-langwebrickMatch-ruby

AND

ruby-langrubyRange1.8.0–1.8.5.115

ruby-langrubyRange1.8.6–1.8.6.114

ruby-langrubyMatch1.9.0

ruby-langrubyMatch1.9.0.1

Node

fedoraprojectfedoraMatch7

fedoraprojectfedoraMatch8

CPENameOperatorVersion
ruby-lang:webrickruby-lang webrickeq-

CPE	Name	Operator	Version
ruby-lang:webrick	ruby-lang webrick	eq	-

References

lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html

secunia.com/advisories/29232

secunia.com/advisories/29357

secunia.com/advisories/29536

secunia.com/advisories/30802

secunia.com/advisories/31687

secunia.com/advisories/32371

support.apple.com/kb/HT2163

wiki.rpath.com/Advisories:rPSA-2008-0123

wiki.rpath.com/wiki/Advisories:rPSA-2008-0123

www.kb.cert.org/vuls/id/404515

www.mandriva.com/security/advisories?name=MDVSA-2008:141

www.mandriva.com/security/advisories?name=MDVSA-2008:142

www.redhat.com/support/errata/RHSA-2008-0897.html

www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/

www.securityfocus.com/archive/1/489205/100/0/threaded

www.securityfocus.com/archive/1/489218/100/0/threaded

www.securityfocus.com/archive/1/490056/100/0/threaded

www.securityfocus.com/bid/28123

www.securitytracker.com/id?1019562

www.vupen.com/english/advisories/2008/0787

www.vupen.com/english/advisories/2008/1981/references

exchange.xforce.ibmcloud.com/vulnerabilities/41010

issues.rpath.com/browse/RPL-2338

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937

www.exploit-db.com/exploits/5215

www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html

www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.22 Low

EPSS

Percentile

96.5%

JSON

Related for CVE-2008-1145

ubuntucve1 prion1 nvd1 cert1 cvelist1 openvas18 nessus14 fedora5 oraclelinux2 centos1 redhat1