CVE-2018-8777
Publication date 3 April 2018
Last updated 24 July 2024
Ubuntu priority
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ruby1.9.1 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 1.9.3.484-2ubuntu1.12
|
|
| ruby2.0 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 2.0.0.484-1ubuntu2.10
|
|
| ruby2.3 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial |
Fixed 2.3.1-2~16.04.10
|
|
| 14.04 LTS trusty | Not in release | |
| ruby2.5 | 18.04 LTS bionic |
Fixed 2.5.1-1
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3685-1
- Ruby vulnerabilities
- 13 June 2018