CVE-2008-3655

Published: Aug 13, 2008Modified: Apr 23, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.

Affected (47)

Products: Ruby Lang: Ruby

Ruby Lang

1 product

Ruby

Configuration A

47 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	Up to 1.8.5
Ruby Lang Ruby	Version 1.6.8
Ruby Lang Ruby	Version 1.8.0
Ruby Lang Ruby	Version 1.8.1
Ruby Lang Ruby	Version 1.8.1 -9
Ruby Lang Ruby	Version 1.8.2
Ruby Lang Ruby	Version 1.8.2 preview2
Ruby Lang Ruby	Version 1.8.2 preview3
Ruby Lang Ruby	Version 1.8.2 preview4
Ruby Lang Ruby	Version 1.8.3
Ruby Lang Ruby	Version 1.8.3 preview1
Ruby Lang Ruby	Version 1.8.3 preview2
Ruby Lang Ruby	Version 1.8.3 preview3
Ruby Lang Ruby	Version 1.8.4
Ruby Lang Ruby	Version 1.8.4 preview1
Ruby Lang Ruby	Version 1.8.4 preview2
Ruby Lang Ruby	Version 1.8.4 preview3
Ruby Lang Ruby	Version 1.8.5 p113
Ruby Lang Ruby	Version 1.8.5 p115
Ruby Lang Ruby	Version 1.8.5 p11
Ruby Lang Ruby	Version 1.8.5 p12
Ruby Lang Ruby	Version 1.8.5 p2
Ruby Lang Ruby	Version 1.8.5 p35
Ruby Lang Ruby	Version 1.8.5 preview1
Ruby Lang Ruby	Version 1.8.5 preview2
Ruby Lang Ruby	Version 1.8.5 preview3
Ruby Lang Ruby	Version 1.8.5 preview4
Ruby Lang Ruby	Version 1.8.5 preview5
Ruby Lang Ruby	Version 1.8.6
Ruby Lang Ruby	Version 1.8.6 p110
Ruby Lang Ruby	Version 1.8.6 p111
Ruby Lang Ruby	Version 1.8.6 p114
Ruby Lang Ruby	Version 1.8.6 p230
Ruby Lang Ruby	Version 1.8.6 p286
Ruby Lang Ruby	Version 1.8.6 p36
Ruby Lang Ruby	Version 1.8.6 preview1
Ruby Lang Ruby	Version 1.8.6 preview2
Ruby Lang Ruby	Version 1.8.6 preview3
Ruby Lang Ruby	Version 1.8.7
Ruby Lang Ruby	Version 1.8.7 p17
Ruby Lang Ruby	Version 1.8.7 p22
Ruby Lang Ruby	Version 1.8.7 p71
Ruby Lang Ruby	Version 1.8.7 preview1
Ruby Lang Ruby	Version 1.8.7 preview2
Ruby Lang Ruby	Version 1.8.7 preview3
Ruby Lang Ruby	Version 1.8.7 preview4
Ruby Lang Ruby	Version 1.9.0

Related CWEs

CWE-264

References (64)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401

Source: cve@mitre.org

http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

Source: cve@mitre.org

http://secunia.com/advisories/31430

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/31697

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32165

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32219

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32255

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32256

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32371

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32372

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/33178

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/35074

Source: cve@mitre.org

Vendor Advisory

http://security.gentoo.org/glsa/glsa-200812-17.xml

Source: cve@mitre.org

http://support.apple.com/kb/HT3549

Source: cve@mitre.org

http://support.avaya.com/elmodocs2/security/ASA-2008-424.htm

Source: cve@mitre.org

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0264

Source: cve@mitre.org

http://www.debian.org/security/2008/dsa-1651

Source: cve@mitre.org

Patch

http://www.debian.org/security/2008/dsa-1652

Source: cve@mitre.org

http://www.redhat.com/support/errata/RHSA-2008-0895.html

Source: cve@mitre.org

http://www.redhat.com/support/errata/RHSA-2008-0897.html

Source: cve@mitre.org

http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/

Source: cve@mitre.org

Exploit

http://www.securityfocus.com/archive/1/495884/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/bid/30644

Source: cve@mitre.org

ExploitPatch

http://www.securitytracker.com/id?1020656

Source: cve@mitre.org

http://www.us-cert.gov/cas/techalerts/TA09-133A.html

Source: cve@mitre.org

US Government Resource

http://www.vupen.com/english/advisories/2008/2334

Source: cve@mitre.org

Vendor Advisory

http://www.vupen.com/english/advisories/2009/1297

Source: cve@mitre.org

PatchVendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/44369

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11602

Source: cve@mitre.org

https://usn.ubuntu.com/651-1/

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00259.html

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00299.html

Source: cve@mitre.org

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401