CVE-2011-2705
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
05/08/2011
Last modified:
11/04/2025
Description
The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.
Impact
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 1.8.7-334 (including) | |
| cpe:2.3:a:ruby-lang:ruby:1.8.7:p22:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7:p71:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7:p72:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7-160:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7-173:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7-248:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7-249:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7-299:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7-302:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7-330:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.8.7-p21:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.9:r18423:*:*:*:*:*:* | ||
| cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063062.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063071.html
- http://redmine.ruby-lang.org/issues/4579
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050
- http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_352/ChangeLog
- http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_290/ChangeLog
- http://www.openwall.com/lists/oss-security/2011/07/11/1
- http://www.openwall.com/lists/oss-security/2011/07/12/14
- http://www.openwall.com/lists/oss-security/2011/07/20/1
- http://www.openwall.com/lists/oss-security/2011/07/20/16
- http://www.redhat.com/support/errata/RHSA-2011-1581.html
- http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/
- http://www.ruby-lang.org/en/news/2011/07/15/ruby-1-9-2-p290-is-released/
- http://www.securityfocus.com/bid/49015
- https://bugzilla.redhat.com/show_bug.cgi?id=722415
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063062.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063071.html
- http://redmine.ruby-lang.org/issues/4579
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050
- http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_352/ChangeLog
- http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_290/ChangeLog
- http://www.openwall.com/lists/oss-security/2011/07/11/1
- http://www.openwall.com/lists/oss-security/2011/07/12/14
- http://www.openwall.com/lists/oss-security/2011/07/20/1
- http://www.openwall.com/lists/oss-security/2011/07/20/16
- http://www.redhat.com/support/errata/RHSA-2011-1581.html
- http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/
- http://www.ruby-lang.org/en/news/2011/07/15/ruby-1-9-2-p290-is-released/
- http://www.securityfocus.com/bid/49015
- https://bugzilla.redhat.com/show_bug.cgi?id=722415