CVE-2009-5147 - OpenCVE

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ruby-lang	Ruby

Configuration 1 [-]

OR	cpe:2.3:a:ruby-lang:ruby:1.8.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.2:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.3:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.0.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p195::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p247::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p353::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p481::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p576::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p594::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p598::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p643::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p645::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p647::::::
	cpe:2.3:a:ruby-lang:ruby:2.1.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.1.1:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.1.2:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.1.3:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.1.4:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.1.5:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.1.6:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.1.7:::::::*

References

Link	Resource
http://seclists.org/oss-sec/2015/q3/222	Patch Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/76060	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:0583
https://bugzilla.redhat.com/show_bug.cgi?id=1248935	Issue Tracking Patch Third Party Advisory VDB Entry
https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b	Patch Third Party Advisory
https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-03-29T14:00:00

Updated: 2018-03-27T09:57:01

Reserved: 2015-07-28T00:00:00

Link: CVE-2009-5147

JSON object: View

NVD Information

Status : Modified

Published: 2017-03-29T14:59:00.187

Modified: 2018-03-28T01:29:01.247

Link: CVE-2009-5147

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-07-28T00:00:00", "descriptions": [{"lang": "en", "value": "DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-27T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b"}, {"name": "[oss-security] 20150728 Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2015/q3/222"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/"}, {"name": "RHSA-2018:0583", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0583"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1248935"}, {"name": "76060", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/76060"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-5147", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b", "refsource": "CONFIRM", "url": "https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b"}, {"name": "[oss-security] 20150728 Re: CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2015/q3/222"}, {"name": "https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/", "refsource": "CONFIRM", "url": "https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/"}, {"name": "RHSA-2018:0583", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0583"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1248935", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1248935"}, {"name": "76060", "refsource": "BID", "url": "http://www.securityfocus.com/bid/76060"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-5147", "datePublished": "2017-03-29T14:00:00", "dateReserved": "2015-07-28T00:00:00", "dateUpdated": "2018-03-27T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:ruby:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "16BDFA5C-35BE-4B7E-BD2D-C28B095F62E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "52179EC7-CAF0-42AA-A21A-7105E10CA122", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "5178D04D-1C29-4353-8987-559AA07443EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "D0535DC9-EB0E-4745-80AC-4A020DF26E38", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B03B7561-A854-4EFA-9E4E-CFC4EEAE4EE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p195:*:*:*:*:*:*", "matchCriteriaId": "1C663278-3B2A-4B7C-959A-2AA804467F21", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p247:*:*:*:*:*:*", "matchCriteriaId": "B7927149-A76A-48BC-8405-7375FC7D7486", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p353:*:*:*:*:*:*", "matchCriteriaId": "3D627638-64AA-455B-9FEA-093D3773B9FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p481:*:*:*:*:*:*", "matchCriteriaId": "19CF27FB-DCF5-4533-B309-55615AE21A63", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p576:*:*:*:*:*:*", "matchCriteriaId": "B9865DD1-F2AF-40B6-848A-EA9FD37034DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p594:*:*:*:*:*:*", "matchCriteriaId": "C10BD21E-B9FA-4B57-B617-0108A00D6132", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p598:*:*:*:*:*:*", "matchCriteriaId": "3D5ABD47-64AC-4844-B78B-F0D3BC3B8F49", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p643:*:*:*:*:*:*", "matchCriteriaId": "4EF7FDAD-9CAF-452D-B229-EF7C390DE712", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p645:*:*:*:*:*:*", "matchCriteriaId": "942C4584-11B4-4E6E-BD42-6F4573E55412", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.0.0:p647:*:*:*:*:*:*", "matchCriteriaId": "49AB6D01-7AFE-4482-A6B4-C085A100A9A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "85A846FF-DD34-4DD6-BD61-09124C145E97", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "8DF046E4-503B-4A10-BEAB-3144BD86EA49", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "9FCA45F1-3038-413A-B8C3-EE366A4E6248", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "FF6AF5E3-4EB8-48A3-B8E9-C79C08C38994", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "6AE2B154-8126-4A38-BAB6-915207764FC0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "808FA8BE-71FC-4ADD-BDEA-637E8DF4E899", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "523417A8-F62B-48AF-B60B-CE9A200D4A9A", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "FAB1E0F8-F9B0-40E9-892E-C62729525CE5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names."}, {"lang": "es", "value": "DL::dlopen en Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 en versiones anteriores a patchlevel 648, y 2.1 en versiones anteriores a 2.1.8 abre librer\u00edas con nombres contaminados."}], "id": "CVE-2009-5147", "lastModified": "2018-03-28T01:29:01.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-29T14:59:00.187", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "http://seclists.org/oss-sec/2015/q3/222"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/76060"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:0583"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1248935"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}