CVE-2012-5370

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://2012.appsec-forum.ch/conferences/#c17
http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
http://rhn.redhat.com/errata/RHSA-2013-0533.html
http://www.ocert.org/advisories/ocert-2012-001.html
https://bugzilla.redhat.com/show_bug.cgi?id=880671
https://www.131002.net/data/talks/appsec12_slides.pdf

Configurations

Configuration 1 (hide)

cpe:2.3:a:jruby:jruby:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2012-11-28 13:03

Updated : 2024-02-04 18:16

NVD link : CVE-2012-5370

Mitre link : CVE-2012-5370

CVE.ORG link : CVE-2012-5370

JSON object : View

Products Affected

jruby

jruby

CWE

CWE-310

Cryptographic Issues

{"id": "CVE-2012-5370", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-11-28T13:03:10.057", "references": [{"url": "http://2012.appsec-forum.ch/conferences/#c17", "source": "cve@mitre.org"}, {"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf", "source": "cve@mitre.org"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html", "source": "cve@mitre.org"}, {"url": "http://www.ocert.org/advisories/ocert-2012-001.html", "source": "cve@mitre.org"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671", "source": "cve@mitre.org"}, {"url": "https://www.131002.net/data/talks/appsec12_slides.pdf", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838."}, {"lang": "es", "value": "JRuby calcula los valores de hash sin restringir la posibilidad de provocar colisiones hash previsibles, lo que permite a atacantes dependientes de contexto provocar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s de la manipulaci\u00f3n de una entrada para la aplicaci\u00f3n que mantiene la tabla de valores hash, como lo demuestra un ataque universal multicolision contra el algoritmo MurmurHash2, es una vulnerabilidad diferente a CVE-2011-4838."}], "lastModified": "2015-01-18T02:59:12.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jruby:jruby:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7AC52FE-91E7-40C9-B4DE-AD35FB630397"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}