Published:2005/09/21  Last Updated:2008/05/21

JVN#62914675
Ruby vulnerability allowing to bypass safe level 4 as a sandbox

Overview

Ruby is a object-oriented scripting language that supports execution of untrusted code with two mechanisms: "object taint" and "safe level". Ruby contains a vulnerability that may allow an attacker to execute an arbitrary script by bypassing the "safe level" checks.

Products Affected

  • Ruby 1.8.2 and earlier

Description

Impact

An attacker could possibly execute an arbitrary script.

Solution

Vendor Status

Vendor Status Last Update Vendor Notes
Ruby Security Team Vulnerable 2005/09/21

References

  1. US-CERT Vulnerability Note VU#160012
    Ruby Safe-Level security model bypass

JPCERT/CC Addendum

Credit

Yutaka Oiwa of Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST), Japan reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2005-2337
JVN iPedia JVNDB-2005-000538

Update History