Summary
Ruby WEBrick is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in log files.
Attackers can exploit this issue to execute arbitrary commands in a terminal.
Versions *prior to* the following are affected:
Ruby 1.8.6 patchlevel 388 Ruby 1.8.7 patchlevel 249 Ruby 1.9.1 patchlevel 378
Solution
Updates are available. Please see the references for details.
References
Severity
Classification
-
CVE CVE-2009-4492 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Apache HTTP Server Multiple Remote Denial of Service Vulnerabilities
- Apache Tomcat HTTP NIO Denial Of Service Vulnerability (Windows)
- IBM WebSphere Application Server JSF Application Information Disclosure Vulnerability
- Cherokee URI Directory Traversal Vulnerability and Information Disclosure Vulnerability
- Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability