CVE-2008-1145

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.
References
Link Resource
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html Broken Link Mailing List
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html Mailing List Third Party Advisory
http://secunia.com/advisories/29232 Not Applicable Vendor Advisory
http://secunia.com/advisories/29357 Not Applicable Vendor Advisory
http://secunia.com/advisories/29536 Not Applicable
http://secunia.com/advisories/30802 Not Applicable
http://secunia.com/advisories/31687 Not Applicable
http://secunia.com/advisories/32371 Not Applicable
http://support.apple.com/kb/HT2163 Third Party Advisory
http://wiki.rpath.com/Advisories:rPSA-2008-0123 Broken Link
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123 Broken Link
http://www.kb.cert.org/vuls/id/404515 Third Party Advisory US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 Broken Link
http://www.redhat.com/support/errata/RHSA-2008-0897.html Third Party Advisory
http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ Exploit Patch Vendor Advisory
http://www.securityfocus.com/archive/1/489205/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/489218/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/490056/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/28123 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1019562 Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2008/0787 Permissions Required
http://www.vupen.com/english/advisories/2008/1981/references Permissions Required
https://exchange.xforce.ibmcloud.com/vulnerabilities/41010 Third Party Advisory VDB Entry
https://issues.rpath.com/browse/RPL-2338 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937 Broken Link
https://www.exploit-db.com/exploits/5215 Exploit Third Party Advisory VDB Entry
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html Third Party Advisory
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html Broken Link Mailing List
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html Mailing List Third Party Advisory
http://secunia.com/advisories/29232 Not Applicable Vendor Advisory
http://secunia.com/advisories/29357 Not Applicable Vendor Advisory
http://secunia.com/advisories/29536 Not Applicable
http://secunia.com/advisories/30802 Not Applicable
http://secunia.com/advisories/31687 Not Applicable
http://secunia.com/advisories/32371 Not Applicable
http://support.apple.com/kb/HT2163 Third Party Advisory
http://wiki.rpath.com/Advisories:rPSA-2008-0123 Broken Link
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123 Broken Link
http://www.kb.cert.org/vuls/id/404515 Third Party Advisory US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 Broken Link
http://www.redhat.com/support/errata/RHSA-2008-0897.html Third Party Advisory
http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ Exploit Patch Vendor Advisory
http://www.securityfocus.com/archive/1/489205/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/489218/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/490056/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/28123 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1019562 Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2008/0787 Permissions Required
http://www.vupen.com/english/advisories/2008/1981/references Permissions Required
https://exchange.xforce.ibmcloud.com/vulnerabilities/41010 Third Party Advisory VDB Entry
https://issues.rpath.com/browse/RPL-2338 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937 Broken Link
https://www.exploit-db.com/exploits/5215 Exploit Third Party Advisory VDB Entry
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:ruby-lang:webrick:-:*:*:*:*:ruby:*:*
OR cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:1.9.0.1:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:7:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*

History

21 Nov 2024, 00:43

Type Values Removed Values Added
References () http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html - Broken Link, Mailing List () http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html - Broken Link, Mailing List
References () http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html - Mailing List, Third Party Advisory () http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html - Mailing List, Third Party Advisory
References () http://secunia.com/advisories/29232 - Not Applicable, Vendor Advisory () http://secunia.com/advisories/29232 - Not Applicable, Vendor Advisory
References () http://secunia.com/advisories/29357 - Not Applicable, Vendor Advisory () http://secunia.com/advisories/29357 - Not Applicable, Vendor Advisory
References () http://secunia.com/advisories/29536 - Not Applicable () http://secunia.com/advisories/29536 - Not Applicable
References () http://secunia.com/advisories/30802 - Not Applicable () http://secunia.com/advisories/30802 - Not Applicable
References () http://secunia.com/advisories/31687 - Not Applicable () http://secunia.com/advisories/31687 - Not Applicable
References () http://secunia.com/advisories/32371 - Not Applicable () http://secunia.com/advisories/32371 - Not Applicable
References () http://support.apple.com/kb/HT2163 - Third Party Advisory () http://support.apple.com/kb/HT2163 - Third Party Advisory
References () http://wiki.rpath.com/Advisories:rPSA-2008-0123 - Broken Link () http://wiki.rpath.com/Advisories:rPSA-2008-0123 - Broken Link
References () http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123 - Broken Link () http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123 - Broken Link
References () http://www.kb.cert.org/vuls/id/404515 - Third Party Advisory, US Government Resource () http://www.kb.cert.org/vuls/id/404515 - Third Party Advisory, US Government Resource
References () http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 - Broken Link () http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 - Broken Link
References () http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 - Broken Link () http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 - Broken Link
References () http://www.redhat.com/support/errata/RHSA-2008-0897.html - Third Party Advisory () http://www.redhat.com/support/errata/RHSA-2008-0897.html - Third Party Advisory
References () http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ - Exploit, Patch, Vendor Advisory () http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ - Exploit, Patch, Vendor Advisory
References () http://www.securityfocus.com/archive/1/489205/100/0/threaded - Third Party Advisory, VDB Entry () http://www.securityfocus.com/archive/1/489205/100/0/threaded - Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/archive/1/489218/100/0/threaded - Third Party Advisory, VDB Entry () http://www.securityfocus.com/archive/1/489218/100/0/threaded - Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/archive/1/490056/100/0/threaded - Third Party Advisory, VDB Entry () http://www.securityfocus.com/archive/1/490056/100/0/threaded - Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/28123 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/28123 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id?1019562 - Broken Link, Third Party Advisory, VDB Entry () http://www.securitytracker.com/id?1019562 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.vupen.com/english/advisories/2008/0787 - Permissions Required () http://www.vupen.com/english/advisories/2008/0787 - Permissions Required
References () http://www.vupen.com/english/advisories/2008/1981/references - Permissions Required () http://www.vupen.com/english/advisories/2008/1981/references - Permissions Required
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/41010 - Third Party Advisory, VDB Entry () https://exchange.xforce.ibmcloud.com/vulnerabilities/41010 - Third Party Advisory, VDB Entry
References () https://issues.rpath.com/browse/RPL-2338 - Broken Link () https://issues.rpath.com/browse/RPL-2338 - Broken Link
References () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937 - Broken Link () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937 - Broken Link
References () https://www.exploit-db.com/exploits/5215 - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/5215 - Exploit, Third Party Advisory, VDB Entry
References () https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html - Third Party Advisory () https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html - Third Party Advisory
References () https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html - Third Party Advisory () https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html - Third Party Advisory

01 Aug 2023, 18:58

Type Values Removed Values Added
References (BUGTRAQ) http://www.securityfocus.com/archive/1/490056/100/0/threaded - (BUGTRAQ) http://www.securityfocus.com/archive/1/490056/100/0/threaded - Third Party Advisory, VDB Entry
References (SECUNIA) http://secunia.com/advisories/29357 - Vendor Advisory (SECUNIA) http://secunia.com/advisories/29357 - Not Applicable, Vendor Advisory
References (APPLE) http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html - (APPLE) http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html - Broken Link, Mailing List
References (SECUNIA) http://secunia.com/advisories/30802 - (SECUNIA) http://secunia.com/advisories/30802 - Not Applicable
References (OVAL) https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937 - (OVAL) https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937 - Broken Link
References (EXPLOIT-DB) https://www.exploit-db.com/exploits/5215 - (EXPLOIT-DB) https://www.exploit-db.com/exploits/5215 - Exploit, Third Party Advisory, VDB Entry
References (VUPEN) http://www.vupen.com/english/advisories/2008/0787 - (VUPEN) http://www.vupen.com/english/advisories/2008/0787 - Permissions Required
References (CONFIRM) http://support.apple.com/kb/HT2163 - (CONFIRM) http://support.apple.com/kb/HT2163 - Third Party Advisory
References (CONFIRM) http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123 - (CONFIRM) http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123 - Broken Link
References (SECUNIA) http://secunia.com/advisories/29536 - (SECUNIA) http://secunia.com/advisories/29536 - Not Applicable
References (SECUNIA) http://secunia.com/advisories/29232 - Vendor Advisory (SECUNIA) http://secunia.com/advisories/29232 - Not Applicable, Vendor Advisory
References (MANDRIVA) http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 - (MANDRIVA) http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 - Broken Link
References (CONFIRM) http://wiki.rpath.com/Advisories:rPSA-2008-0123 - (CONFIRM) http://wiki.rpath.com/Advisories:rPSA-2008-0123 - Broken Link
References (VUPEN) http://www.vupen.com/english/advisories/2008/1981/references - (VUPEN) http://www.vupen.com/english/advisories/2008/1981/references - Permissions Required
References (CONFIRM) https://issues.rpath.com/browse/RPL-2338 - (CONFIRM) https://issues.rpath.com/browse/RPL-2338 - Broken Link
References (FEDORA) https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html - (FEDORA) https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html - Third Party Advisory
References (CONFIRM) http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ - Exploit, Patch (CONFIRM) http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ - Exploit, Patch, Vendor Advisory
References (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/41010 - (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/41010 - Third Party Advisory, VDB Entry
References (BUGTRAQ) http://www.securityfocus.com/archive/1/489205/100/0/threaded - (BUGTRAQ) http://www.securityfocus.com/archive/1/489205/100/0/threaded - Third Party Advisory, VDB Entry
References (CERT-VN) http://www.kb.cert.org/vuls/id/404515 - US Government Resource (CERT-VN) http://www.kb.cert.org/vuls/id/404515 - Third Party Advisory, US Government Resource
References (BID) http://www.securityfocus.com/bid/28123 - (BID) http://www.securityfocus.com/bid/28123 - Broken Link, Third Party Advisory, VDB Entry
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html - Mailing List, Third Party Advisory
References (FEDORA) https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html - (FEDORA) https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html - Third Party Advisory
References (SECTRACK) http://www.securitytracker.com/id?1019562 - (SECTRACK) http://www.securitytracker.com/id?1019562 - Broken Link, Third Party Advisory, VDB Entry
References (MANDRIVA) http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 - (MANDRIVA) http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 - Broken Link
References (SECUNIA) http://secunia.com/advisories/31687 - (SECUNIA) http://secunia.com/advisories/31687 - Not Applicable
References (BUGTRAQ) http://www.securityfocus.com/archive/1/489218/100/0/threaded - (BUGTRAQ) http://www.securityfocus.com/archive/1/489218/100/0/threaded - Third Party Advisory, VDB Entry
References (REDHAT) http://www.redhat.com/support/errata/RHSA-2008-0897.html - (REDHAT) http://www.redhat.com/support/errata/RHSA-2008-0897.html - Third Party Advisory
References (SECUNIA) http://secunia.com/advisories/32371 - (SECUNIA) http://secunia.com/advisories/32371 - Not Applicable
CPE cpe:2.3:a:webrick:webrick:*:*:*:*:*:*:*:* cpe:2.3:a:ruby-lang:webrick:-:*:*:*:*:ruby:*:*
cpe:2.3:o:fedoraproject:fedora:7:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:1.9.0.1:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*

Information

Published : 2008-03-04 23:44

Updated : 2024-11-21 00:43


NVD link : CVE-2008-1145

Mitre link : CVE-2008-1145

CVE.ORG link : CVE-2008-1145


JSON object : View

Products Affected

ruby-lang

  • ruby
  • webrick

fedoraproject

  • fedora
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')