CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
90.2%
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173
allows context-dependent attackers to cause a denial of service
(application crash) via a string argument that represents a large number,
as demonstrated by an attempted conversion to the Float data type.
Author | Note |
---|---|
mdeslaur | PoC here: http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master PoC here: http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ best PoC here: http://redmine.ruby-lang.org/issues/show/794 backporting patch may introduce regression, see RH bug |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 6.06 | noarch | ruby1.8 | <Β 1.8.4-1ubuntu1.7 | UNKNOWN |
ubuntu | 8.04 | noarch | ruby1.8 | <Β 1.8.6.111-2ubuntu1.3 | UNKNOWN |
ubuntu | 8.10 | noarch | ruby1.8 | <Β 1.8.7.72-1ubuntu0.2 | UNKNOWN |
ubuntu | 9.04 | noarch | ruby1.8 | <Β 1.8.7.72-3ubuntu0.1 | UNKNOWN |
ubuntu | 8.10 | noarch | ruby1.9 | <Β 1.9.0.2-7ubuntu1.2 | UNKNOWN |
ubuntu | 9.04 | noarch | ruby1.9 | <Β 1.9.0.2-9ubuntu1.1 | UNKNOWN |
ubuntu | 9.10 | noarch | ruby1.9 | <Β 1.9.0.5-1ubuntu1.2 | UNKNOWN |
ubuntu | 10.04 | noarch | ruby1.9 | <Β 1.9.0.5-1ubuntu2 | UNKNOWN |
www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
launchpad.net/bugs/cve/CVE-2009-1904
nvd.nist.gov/vuln/detail/CVE-2009-1904
security-tracker.debian.org/tracker/CVE-2009-1904
ubuntu.com/security/notices/USN-805-1
ubuntu.com/security/notices/USN-900-1
www.cve.org/CVERecord?id=CVE-2009-1904