ID CVE-2012-5370
Summary JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
References
Vulnerable Configurations
  • cpe:2.3:a:jruby:jruby:-:*:*:*:*:*:*:*
    cpe:2.3:a:jruby:jruby:-:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 18-01-2015 - 02:59)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
rhsa
id RHSA-2013:0533
refmap via4
confirm https://bugzilla.redhat.com/show_bug.cgi?id=880671
misc
Last major update 18-01-2015 - 02:59
Published 28-11-2012 - 13:03
Last modified 18-01-2015 - 02:59
Back to Top