Summary
This host is installed with Ruby and is prone to race condition vulnerability.
Impact
Successful exploitation allows attackers to execute arbitrary code with elevated privileges or cause a denial-of-service condition.
Impact Level: Application.
Solution
Upgrade to Ruby version 1.8.7-334 or 1.9.1-p431 or 1.9.2-p180 or later For updates refer to http://rubyforge.org/frs/?group_id=167
Insight
The flaw is due to a race condition within the
'FileUtils.remove_entry_secure' method, which can be exploited to delete arbitrary directories and files via symlink attacks.
Affected
Ruby version 1.8.6 through 1.8.6 patchlevel 420
Ruby version 1.8.7 through 1.8.7 patchlevel 330
Ruby version 1.9.1 through 1.9.1 patchlevel 430
Ruby version 1.9.2 through 1.9.2 patchlevel 136
Ruby version 1.9.3dev, 1.8.8dev
References
Severity
Classification
-
CVE CVE-2011-1004 -
CVSS Base Score: 6.3
AV:L/AC:M/Au:N/C:N/I:C/A:C
Related Vulnerabilities
- Adobe Reader Information Disclosure Vulnerability Jun05 (Windows)
- Adobe Flash Player Multiple Security Bypass Vulnerabilities - 01 Feb14 (Windows)
- Adobe LiveCycle Designer Untrusted Search Path Vulnerability (Windows)
- Adobe Reader Unspecified Vulnerability (Windows)
- Adobe Reader 'file://' URL Information Disclosure Vulnerability Feb07 (Linux)