CVE-2008-1145
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 5215
Publication date : 2008-03-05 23h00 +00:00
Author : DSecRG
EDB Verified : Yes
Products Mentioned
Configuraton 0
Ruby-lang>>Webrick >> Version -
Ruby-lang>>Ruby >> Version From (including) 1.8.0 To (excluding) 1.8.5.115
Ruby-lang>>Ruby >> Version From (including) 1.8.6 To (excluding) 1.8.6.114
Ruby-lang>>Ruby >> Version 1.9.0
Ruby-lang>>Ruby >> Version 1.9.0.1
Configuraton 0
Fedoraproject>>Fedora >> Version 7
Fedoraproject>>Fedora >> Version 8
References
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
Tags : vendor-advisory, x_refsource_SUSE
Tags : vendor-advisory, x_refsource_SUSE
http://www.securityfocus.com/archive/1/490056/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141
Tags : vendor-advisory, x_refsource_MANDRIVA
Tags : vendor-advisory, x_refsource_MANDRIVA
http://www.securityfocus.com/archive/1/489205/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/489218/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html
Tags : vendor-advisory, x_refsource_FEDORA
Tags : vendor-advisory, x_refsource_FEDORA
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142
Tags : vendor-advisory, x_refsource_MANDRIVA
Tags : vendor-advisory, x_refsource_MANDRIVA
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html
Tags : vendor-advisory, x_refsource_FEDORA
Tags : vendor-advisory, x_refsource_FEDORA
