CVE-2017-0898

CVSS v3.0 9.1 (Critical)

CVSS v2.0 6.4 (Medium)

EPSS 1.26 % (86^th)

Affected Products 1

Advisories 14

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.

Weaknesses

CWE-134: Use of Externally-Controlled Format String

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2017-09-15 19:29:00
(7 years ago)
Updated Date: 2018-07-15 01:29:01
(6 years ago)

Affected Products

Ruby-lang

Ruby

Configuration #1

		CPE23	From	Up To
	Ruby-lang Ruby 2.2.0	cpe:2.3:a:ruby-lang:ruby:2.2.0
	Ruby-lang Ruby 2.2.1	cpe:2.3:a:ruby-lang:ruby:2.2.1
	Ruby-lang Ruby 2.2.2	cpe:2.3:a:ruby-lang:ruby:2.2.2
	Ruby-lang Ruby 2.2.3	cpe:2.3:a:ruby-lang:ruby:2.2.3
	Ruby-lang Ruby 2.2.4	cpe:2.3:a:ruby-lang:ruby:2.2.4
	Ruby-lang Ruby 2.2.5	cpe:2.3:a:ruby-lang:ruby:2.2.5
	Ruby-lang Ruby 2.2.6	cpe:2.3:a:ruby-lang:ruby:2.2.6
	Ruby-lang Ruby 2.2.7	cpe:2.3:a:ruby-lang:ruby:2.2.7
	Ruby-lang Ruby 2.3.0	cpe:2.3:a:ruby-lang:ruby:2.3.0
	Ruby-lang Ruby 2.3.1	cpe:2.3:a:ruby-lang:ruby:2.3.1
	Ruby-lang Ruby 2.3.2	cpe:2.3:a:ruby-lang:ruby:2.3.2
	Ruby-lang Ruby 2.3.3	cpe:2.3:a:ruby-lang:ruby:2.3.3
	Ruby-lang Ruby 2.3.4	cpe:2.3:a:ruby-lang:ruby:2.3.4
	Ruby-lang Ruby 2.4.0	cpe:2.3:a:ruby-lang:ruby:2.4.0
	Ruby-lang Ruby 2.4.1	cpe:2.3:a:ruby-lang:ruby:2.4.1