[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

249622

 
 

909

 
 

195521

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2012-5371Date: (C)2012-11-28   (M)2023-12-22


Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 5.0
Exploit Score: 10.0
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: NONE
Integrity: NONE
Availability: PARTIAL
  
Reference:
SECTRACK-1027747
SECUNIA-51253
BID-56484
OSVDB-87280
USN-1733-1
http://2012.appsec-forum.ch/conferences/#c17
http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
http://www.ocert.org/advisories/ocert-2012-001.html
http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
https://bugzilla.redhat.com/show_bug.cgi?id=875236
https://www.131002.net/data/talks/appsec12_slides.pdf
ruby-hash-function-dos(79993)

CPE    8
cpe:/a:ruby-lang:ruby:1.9.3:p0
cpe:/a:ruby-lang:ruby:1.9.3:p194
cpe:/a:ruby-lang:ruby:1.9.3:p125
cpe:/a:ruby-lang:ruby:1.9.3
...
CWE    1
CWE-310
OVAL    5
oval:org.secpod.oval:def:701179
oval:org.secpod.oval:def:104708
oval:org.secpod.oval:def:104926
oval:org.secpod.oval:def:104306
...

© SecPod Technologies