CVE-2011-2705

EPSS 0.99%
Published 05.08.2011 21:55:04
Last modified 11.04.2025 00:51:21
Source secalert@redhat.com
Teams watchlist Login
Open Login

The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

Affected products Warnungen 0 Metrics 2 CWE 1 References 18

Data is provided by the National Vulnerability Database (NVD)

Ruby-lang ≫ Ruby Version <= 1.8.7-334

Ruby-lang ≫ Ruby Version1.8.7 Updatep22

Ruby-lang ≫ Ruby Version1.8.7 Updatep71

Ruby-lang ≫ Ruby Version1.8.7 Updatep72

Ruby-lang ≫ Ruby Version1.8.7-160

Ruby-lang ≫ Ruby Version1.8.7-173

Ruby-lang ≫ Ruby Version1.8.7-248

Ruby-lang ≫ Ruby Version1.8.7-249

Ruby-lang ≫ Ruby Version1.8.7-299

Ruby-lang ≫ Ruby Version1.8.7-302

Ruby-lang ≫ Ruby Version1.8.7-330

Ruby-lang ≫ Ruby Version1.8.7-p21

Ruby-lang ≫ Ruby Version1.9

Ruby-lang ≫ Ruby Version1.9 Updater18423

Ruby-lang ≫ Ruby Version1.9.0

Ruby-lang ≫ Ruby Version1.9.0 Updater18423

Ruby-lang ≫ Ruby Version1.9.0-0

Ruby-lang ≫ Ruby Version1.9.0-1

Ruby-lang ≫ Ruby Version1.9.0-2

Ruby-lang ≫ Ruby Version1.9.0-20060415

Ruby-lang ≫ Ruby Version1.9.0-20070709

Ruby-lang ≫ Ruby Version1.9.1

Ruby-lang ≫ Ruby Version1.9.1 Update-p0

Ruby-lang ≫ Ruby Version1.9.1 Update-p129

Ruby-lang ≫ Ruby Version1.9.1 Update-p243

Ruby-lang ≫ Ruby Version1.9.1 Update-p376

Ruby-lang ≫ Ruby Version1.9.1 Update-p429

Ruby-lang ≫ Ruby Version1.9.1 Update-preview_1

Ruby-lang ≫ Ruby Version1.9.1 Update-preview_2

Ruby-lang ≫ Ruby Version1.9.1 Update-rc1

Ruby-lang ≫ Ruby Version1.9.1 Update-rc2

Ruby-lang ≫ Ruby Version1.9.2

Ruby-lang ≫ Ruby Version1.9.2 Updatedev

Ruby-lang ≫ Ruby Version1.9.2-p136

Ruby-lang ≫ Ruby Version1.9.2-p180

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.99%	0.762

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063062.html

Patch

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063071.html

http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_352/ChangeLog

http://www.openwall.com/lists/oss-security/2011/07/11/1

Patch

http://www.openwall.com/lists/oss-security/2011/07/12/14

Patch

http://www.openwall.com/lists/oss-security/2011/07/20/1

Patch

http://www.openwall.com/lists/oss-security/2011/07/20/16

Patch