CVE-2011-1004

Published: Mar 2, 2011Modified: Apr 29, 2026

6.3

Vector

AV:L/AC:M/Au:N/C:N/I:C/A:C

Exploitability: 3.4 / Impact: 9.2

Source: NVD

Description

The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.

Affected (6)

Products: Ruby Lang: Ruby

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	Version 1.8.6
Ruby Lang Ruby	Version 1.8.7
Ruby Lang Ruby	Version 1.8.8 dev
Ruby Lang Ruby	Version 1.9.1
Ruby Lang Ruby	Version 1.9.2
Ruby Lang Ruby	Version 1.9.3 dev

Related CWEs

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (32)

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054422.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054436.html

Source: secalert@redhat.com

http://osvdb.org/70958

Source: secalert@redhat.com

http://secunia.com/advisories/43434

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/43573

Source: secalert@redhat.com

http://support.apple.com/kb/HT5281

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2011:097

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/02/21/2

Source: secalert@redhat.com

Patch

http://www.openwall.com/lists/oss-security/2011/02/21/5

Source: secalert@redhat.com

Patch

http://www.redhat.com/support/errata/RHSA-2011-0909.html

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2011-0910.html

Source: secalert@redhat.com

http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/

Source: secalert@redhat.com

PatchVendor Advisory

http://www.securityfocus.com/bid/46460

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2011/0539

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=678913

Source: secalert@redhat.com

Patch

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054422.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054436.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://osvdb.org/70958

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/43434

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/43573

Source: af854a3a-2127-422b-91ae-364da2661108

http://support.apple.com/kb/HT5281

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mandriva.com/security/advisories?name=MDVSA-2011:097

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/02/21/2

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.openwall.com/lists/oss-security/2011/02/21/5

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.redhat.com/support/errata/RHSA-2011-0909.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.redhat.com/support/errata/RHSA-2011-0910.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

http://www.securityfocus.com/bid/46460

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.vupen.com/english/advisories/2011/0539

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=678913

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.