CVE-2008-3657

Published: Aug 13, 2008Modified: Apr 23, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen.

Affected (43)

Products: Ruby Lang: Ruby

Ruby Lang

1 product

Ruby

Configuration A

43 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	Up to 1.8.5
Ruby Lang Ruby	Version 1.6.8
Ruby Lang Ruby	Version 1.8.0
Ruby Lang Ruby	Version 1.8.1
Ruby Lang Ruby	Version 1.8.1 -9
Ruby Lang Ruby	Version 1.8.2
Ruby Lang Ruby	Version 1.8.2 preview2
Ruby Lang Ruby	Version 1.8.2 preview3
Ruby Lang Ruby	Version 1.8.2 preview4
Ruby Lang Ruby	Version 1.8.3
Ruby Lang Ruby	Version 1.8.3 preview1
Ruby Lang Ruby	Version 1.8.3 preview2
Ruby Lang Ruby	Version 1.8.3 preview3
Ruby Lang Ruby	Version 1.8.4
Ruby Lang Ruby	Version 1.8.4 preview1
Ruby Lang Ruby	Version 1.8.4 preview2
Ruby Lang Ruby	Version 1.8.4 preview3
Ruby Lang Ruby	Version 1.8.5 p113
Ruby Lang Ruby	Version 1.8.5 p115
Ruby Lang Ruby	Version 1.8.5 p11
Ruby Lang Ruby	Version 1.8.5 p12
Ruby Lang Ruby	Version 1.8.5 p2
Ruby Lang Ruby	Version 1.8.5 p35
Ruby Lang Ruby	Version 1.8.5 preview1
Ruby Lang Ruby	Version 1.8.5 preview2
Ruby Lang Ruby	Version 1.8.5 preview3
Ruby Lang Ruby	Version 1.8.5 preview4
Ruby Lang Ruby	Version 1.8.5 preview5
Ruby Lang Ruby	Version 1.8.6
Ruby Lang Ruby	Version 1.8.6 p110
Ruby Lang Ruby	Version 1.8.6 p114
Ruby Lang Ruby	Version 1.8.6 preview1
Ruby Lang Ruby	Version 1.8.6 preview2
Ruby Lang Ruby	Version 1.8.6 preview3
Ruby Lang Ruby	Version 1.8.7
Ruby Lang Ruby	Version 1.8.7 p17
Ruby Lang Ruby	Version 1.8.7 p22
Ruby Lang Ruby	Version 1.8.7 p71
Ruby Lang Ruby	Version 1.8.7 preview1
Ruby Lang Ruby	Version 1.8.7 preview2
Ruby Lang Ruby	Version 1.8.7 preview3
Ruby Lang Ruby	Version 1.8.7 preview4
Ruby Lang Ruby	Version 1.9.0

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (60)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401

Source: cve@mitre.org

http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

Source: cve@mitre.org

http://secunia.com/advisories/31430

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/31697

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32165

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32219

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32255

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32256

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/32371

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/33178

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/35074

Source: cve@mitre.org

Vendor Advisory

http://security.gentoo.org/glsa/glsa-200812-17.xml

Source: cve@mitre.org

http://support.apple.com/kb/HT3549

Source: cve@mitre.org

http://support.avaya.com/elmodocs2/security/ASA-2008-424.htm

Source: cve@mitre.org

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0264

Source: cve@mitre.org

http://www.debian.org/security/2008/dsa-1651

Source: cve@mitre.org

http://www.debian.org/security/2008/dsa-1652

Source: cve@mitre.org

http://www.redhat.com/support/errata/RHSA-2008-0897.html

Source: cve@mitre.org

http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/

Source: cve@mitre.org

http://www.securityfocus.com/archive/1/495884/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/bid/30644

Source: cve@mitre.org

ExploitPatch

http://www.securitytracker.com/id?1020652

Source: cve@mitre.org

http://www.us-cert.gov/cas/techalerts/TA09-133A.html

Source: cve@mitre.org

US Government Resource

http://www.vupen.com/english/advisories/2008/2334

Source: cve@mitre.org

Vendor Advisory

http://www.vupen.com/english/advisories/2009/1297

Source: cve@mitre.org

Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/44372

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9793

Source: cve@mitre.org

https://usn.ubuntu.com/651-1/

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00259.html

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00299.html

Source: cve@mitre.org

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401