CVE-2016-2338

An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.talosintelligence.com/reports/TALOS-2016-0032/	Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20221228-0005/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ruby-lang:ruby:2.2.2:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.3.0:::::::*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

History

01 Mar 2023, 16:35

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-29 03:15

Updated : 2024-02-04 22:51

NVD link : CVE-2016-2338

Mitre link : CVE-2016-2338

CVE.ORG link : CVE-2016-2338

JSON object : View

Products Affected

ruby-lang

ruby

debian

debian_linux

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2016-2338", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-09-29T03:15:11.470", "references": [{"url": "http://www.talosintelligence.com/reports/TALOS-2016-0032/", "tags": ["Exploit", "Third Party Advisory"], "source": "cret@cert.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cret@cert.org"}, {"url": "https://security.netapp.com/advisory/ntap-20221228-0005/", "tags": ["Third Party Advisory"], "source": "cret@cert.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer \"head\" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de desbordamiento de pila explotable en la funci\u00f3n Psych::Emitter start_document de Ruby. En la funci\u00f3n Psych::Emitter start_document la asignaci\u00f3n de \"head\" del buffer de heap es realizada en base a la longitud del array de etiquetas. Un objeto especialmente construido que es pasado como elemento de la matriz de etiquetas puede aumentar el tama\u00f1o de esta matriz despu\u00e9s de la asignaci\u00f3n mencionada y causar un desbordamiento de la pila"}], "lastModified": "2023-03-01T16:35:02.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:ruby:2.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FCCD8F3-E667-42F2-9861-14EDFB16583A"}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "822307DD-7F7D-44C2-9C4B-CB8704663410"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}