ID CVE-2008-3656
Summary Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.
References
Vulnerable Configurations
  • cpe:2.3:a:ruby-lang:ruby:1.6.8:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.6.8:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.1:-9:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.1:-9:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.2:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.2:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.2:preview3:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.2:preview3:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.2:preview4:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.2:preview4:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.3:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.3:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.3:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.3:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.3:preview3:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.3:preview3:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.4:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.4:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.4:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.4:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.4:preview3:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.4:preview3:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:-:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:-:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.1:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.1:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.1:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.1:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.1:preview3:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.1:preview3:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.1:preview4:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.1:preview4:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.2:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.2:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:preview3:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:preview3:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:preview4:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:preview4:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:preview5:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:preview5:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:p11:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:p11:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:p113:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:p113:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:p115:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:p115:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:p12:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:p12:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:p2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:p2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.5:p35:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.5:p35:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.6:p110:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6:p110:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.6:p114:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6:p114:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.6:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.6:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.6:preview3:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6:preview3:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p17:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p17:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p22:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p22:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p71:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p71:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:preview3:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:preview3:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:preview4:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:preview4:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:*
CVSS
Base: 7.8 (as of 11-10-2018 - 20:48)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:C
oval via4
accepted 2013-04-29T04:21:18.758-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.
family unix
id oval:org.mitre.oval:def:9682
status accepted
submitted 2010-07-09T03:56:16-04:00
title Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.
version 24
redhat via4
advisories
rhsa
id RHSA-2008:0897
rpms
  • irb-0:1.8.1-7.el4_7.1
  • ruby-0:1.8.1-7.el4_7.1
  • ruby-devel-0:1.8.1-7.el4_7.1
  • ruby-docs-0:1.8.1-7.el4_7.1
  • ruby-libs-0:1.8.1-7.el4_7.1
  • ruby-mode-0:1.8.1-7.el4_7.1
  • ruby-tcltk-0:1.8.1-7.el4_7.1
  • ruby-0:1.8.5-5.el5_2.5
  • ruby-devel-0:1.8.5-5.el5_2.5
  • ruby-docs-0:1.8.5-5.el5_2.5
  • ruby-irb-0:1.8.5-5.el5_2.5
  • ruby-libs-0:1.8.5-5.el5_2.5
  • ruby-mode-0:1.8.5-5.el5_2.5
  • ruby-rdoc-0:1.8.5-5.el5_2.5
  • ruby-ri-0:1.8.5-5.el5_2.5
  • ruby-tcltk-0:1.8.5-5.el5_2.5
refmap via4
apple APPLE-SA-2009-05-12
bid 30644
bugtraq 20080831 rPSA-2008-0264-1 ruby
cert TA09-133A
confirm
debian
  • DSA-1651
  • DSA-1652
fedora
  • FEDORA-2008-8736
  • FEDORA-2008-8738
gentoo GLSA-200812-17
sectrack 1020654
secunia
  • 31430
  • 31697
  • 32165
  • 32219
  • 32255
  • 32256
  • 32371
  • 33178
  • 35074
ubuntu USN-651-1
vupen
  • ADV-2008-2334
  • ADV-2009-1297
xf ruby-webrick-dos(44371)
Last major update 11-10-2018 - 20:48
Published 13-08-2008 - 01:41
Back to Top