6.8
CVE-2013-4164
- EPSS 34.97%
- Veröffentlicht 23.11.2013 19:55:03
- Zuletzt bearbeitet 29.04.2026 01:13:23
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 34.97% | 0.982 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
http://www.debian.org/security/2013/dsa-2809
http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
https://support.apple.com/kb/HT6536
http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
http://www.ubuntu.com/usn/USN-2035-1
http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00009.html
http://lists.opensuse.org/opensuse-updates/2013-12/msg00027.html
http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html
http://osvdb.org/100113
http://rhn.redhat.com/errata/RHSA-2013-1763.html
http://rhn.redhat.com/errata/RHSA-2013-1764.html
http://rhn.redhat.com/errata/RHSA-2013-1767.html
http://rhn.redhat.com/errata/RHSA-2014-0011.html
http://rhn.redhat.com/errata/RHSA-2014-0215.html
http://secunia.com/advisories/55787
http://secunia.com/advisories/57376
http://www.debian.org/security/2013/dsa-2810
http://www.securityfocus.com/bid/63873
https://puppet.com/security/cve/cve-2013-4164
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released