[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2009-4492Date: (C)2010-01-13   (M)2023-12-22


WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 7.5
Exploit Score: 10.0
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
SECTRACK-1023429
http://www.securityfocus.com/archive/1/508830/100/0/threaded
BID-37710
SECUNIA-37949
ADV-2010-0089
RHSA-2011:0908
RHSA-2011:0909
http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection
http://www.ush.it/team/ush/hack_httpd_escape/adv.txt

OVAL    11
oval:org.secpod.oval:def:700195
oval:org.secpod.oval:def:201500
oval:org.secpod.oval:def:200526
oval:org.secpod.oval:def:200472
...

© SecPod Technologies