Vulnerabilidad en librería BigDecimal en Ruby (CVE-2009-1904)
Gravedad CVSS v2.0:
MEDIA
Tipo:
CWE-189
Errores numéricos
Fecha de publicación:
11/06/2009
Última modificación:
09/04/2025
Descripción
La librería BigDecimal en Ruby v1.8.6 anteriores p369 y v1.8.7, anteriores a p173 permite a los atacantes dependientes del contexto causar una denegación de servicio (caída de la aplicación) a través de un argumento de cadena de caracteres que representa un número largo, como se demuestra por un intento de conversión al tipo de dato Float.
Impacto
Puntuación base 2.0
5.00
Gravedad 2.0
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:ruby-lang:ruby:1.8.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689
- http://bugs.gentoo.org/show_bug.cgi?id=273213
- http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master
- http://groups.google.com/group/rubyonrails-security/msg/fad60751e2b9b4f6?dmode=source
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://mail-index.netbsd.org/pkgsrc-changes/2009/06/10/msg024708.html
- http://osvdb.org/55031
- http://redmine.ruby-lang.org/issues/show/794
- http://secunia.com/advisories/35399
- http://secunia.com/advisories/35527
- http://secunia.com/advisories/35593
- http://secunia.com/advisories/35699
- http://secunia.com/advisories/35937
- http://secunia.com/advisories/37705
- http://security.gentoo.org/glsa/glsa-200906-02.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.430805
- http://support.apple.com/kb/HT4077
- http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby/
- http://www.mandriva.com/security/advisories?name=MDVSA-2009%3A160
- http://www.redhat.com/support/errata/RHSA-2009-1140.html
- http://www.ruby-forum.com/topic/189071
- http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
- http://www.securityfocus.com/bid/35278
- http://www.securitytracker.com/id?1022371=
- http://www.ubuntu.com/usn/USN-805-1
- http://www.vupen.com/english/advisories/2009/1563
- https://bugs.launchpad.net/bugs/385436
- https://bugs.launchpad.net/bugs/cve/2009-1904
- https://exchange.xforce.ibmcloud.com/vulnerabilities/51032
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9780
- https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00731.html
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532689
- http://bugs.gentoo.org/show_bug.cgi?id=273213
- http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master
- http://groups.google.com/group/rubyonrails-security/msg/fad60751e2b9b4f6?dmode=source
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://mail-index.netbsd.org/pkgsrc-changes/2009/06/10/msg024708.html
- http://osvdb.org/55031
- http://redmine.ruby-lang.org/issues/show/794
- http://secunia.com/advisories/35399
- http://secunia.com/advisories/35527
- http://secunia.com/advisories/35593
- http://secunia.com/advisories/35699
- http://secunia.com/advisories/35937
- http://secunia.com/advisories/37705
- http://security.gentoo.org/glsa/glsa-200906-02.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.430805
- http://support.apple.com/kb/HT4077
- http://weblog.rubyonrails.org/2009/6/10/dos-vulnerability-in-ruby/
- http://www.mandriva.com/security/advisories?name=MDVSA-2009%3A160
- http://www.redhat.com/support/errata/RHSA-2009-1140.html
- http://www.ruby-forum.com/topic/189071
- http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
- http://www.securityfocus.com/bid/35278
- http://www.securitytracker.com/id?1022371=
- http://www.ubuntu.com/usn/USN-805-1
- http://www.vupen.com/english/advisories/2009/1563
- https://bugs.launchpad.net/bugs/385436
- https://bugs.launchpad.net/bugs/cve/2009-1904
- https://exchange.xforce.ibmcloud.com/vulnerabilities/51032
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9780
- https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00731.html