Vulnerability-Lookup

CVE-2017-14064 (GCVE-0-2017-14064)

Vulnerability from cvelistv5 – Published: 2017-08-31 17:00 – Updated: 2024-08-05 19:13

Summary

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.

Severity

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

16 references

URL	Tags
https://usn.ubuntu.com/3685-1/	vendor-advisoryx_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2018:0585	vendor-advisoryx_refsource_REDHAT
https://www.debian.org/security/2017/dsa-3966	vendor-advisoryx_refsource_DEBIAN
https://www.ruby-lang.org/en/news/2017/09/14/ruby…	x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:0378	vendor-advisoryx_refsource_REDHAT
https://hackerone.com/reports/209949	x_refsource_MISC
http://www.securitytracker.com/id/1042004	vdb-entryx_refsource_SECTRACK
https://www.ruby-lang.org/en/news/2017/09/14/ruby…	x_refsource_CONFIRM
http://www.securitytracker.com/id/1039363	vdb-entryx_refsource_SECTRACK
https://access.redhat.com/errata/RHSA-2017:3485	vendor-advisoryx_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2018…	mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2018:0583	vendor-advisoryx_refsource_REDHAT
https://bugs.ruby-lang.org/issues/13853	x_refsource_MISC
https://github.com/flori/json/commit/8f782fd8e181…	x_refsource_MISC
http://www.securityfocus.com/bid/100890	vdb-entryx_refsource_BID
https://security.gentoo.org/glsa/201710-18	vendor-advisoryx_refsource_GENTOO

Date Public

2017-08-31 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T19:13:41.685Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3685-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3685-1/"
          },
          {
            "name": "RHSA-2018:0585",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0585"
          },
          {
            "name": "DSA-3966",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-3966"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/"
          },
          {
            "name": "RHSA-2018:0378",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0378"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/209949"
          },
          {
            "name": "1042004",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1042004"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/"
          },
          {
            "name": "1039363",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039363"
          },
          {
            "name": "RHSA-2017:3485",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3485"
          },
          {
            "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
          },
          {
            "name": "RHSA-2018:0583",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0583"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.ruby-lang.org/issues/13853"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85"
          },
          {
            "name": "100890",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100890"
          },
          {
            "name": "GLSA-201710-18",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201710-18"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-08-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a \u0027\\0\u0027 byte, returning a pointer to a string of length zero, which is not the length stored in space_len."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-31T09:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-3685-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3685-1/"
        },
        {
          "name": "RHSA-2018:0585",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0585"
        },
        {
          "name": "DSA-3966",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-3966"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/"
        },
        {
          "name": "RHSA-2018:0378",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0378"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/209949"
        },
        {
          "name": "1042004",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1042004"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/"
        },
        {
          "name": "1039363",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039363"
        },
        {
          "name": "RHSA-2017:3485",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3485"
        },
        {
          "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
        },
        {
          "name": "RHSA-2018:0583",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0583"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.ruby-lang.org/issues/13853"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85"
        },
        {
          "name": "100890",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100890"
        },
        {
          "name": "GLSA-201710-18",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201710-18"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-14064",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a \u0027\\0\u0027 byte, returning a pointer to a string of length zero, which is not the length stored in space_len."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3685-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3685-1/"
            },
            {
              "name": "RHSA-2018:0585",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0585"
            },
            {
              "name": "DSA-3966",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-3966"
            },
            {
              "name": "https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/",
              "refsource": "CONFIRM",
              "url": "https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/"
            },
            {
              "name": "RHSA-2018:0378",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0378"
            },
            {
              "name": "https://hackerone.com/reports/209949",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/209949"
            },
            {
              "name": "1042004",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1042004"
            },
            {
              "name": "https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/",
              "refsource": "CONFIRM",
              "url": "https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/"
            },
            {
              "name": "1039363",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039363"
            },
            {
              "name": "RHSA-2017:3485",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:3485"
            },
            {
              "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
            },
            {
              "name": "RHSA-2018:0583",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0583"
            },
            {
              "name": "https://bugs.ruby-lang.org/issues/13853",
              "refsource": "MISC",
              "url": "https://bugs.ruby-lang.org/issues/13853"
            },
            {
              "name": "https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85",
              "refsource": "MISC",
              "url": "https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85"
            },
            {
              "name": "100890",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100890"
            },
            {
              "name": "GLSA-201710-18",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201710-18"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-14064",
    "datePublished": "2017-08-31T17:00:00.000Z",
    "dateReserved": "2017-08-31T00:00:00.000Z",
    "dateUpdated": "2024-08-05T19:13:41.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2017-14064",
      "date": "2026-06-22",
      "epss": "0.09445",
      "percentile": "0.9479"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.2.7\", \"matchCriteriaId\": \"20D4B423-C141-4B08-9FE4-2ADCB868A224\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"822307DD-7F7D-44C2-9C4B-CB8704663410\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*\", \"matchCriteriaId\": \"A2D62AC9-83B8-4C84-A47E-2B06C2816964\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*\", \"matchCriteriaId\": \"E583E49C-95B1-4AE4-AA7A-6D6BA7D470B4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5F197C5A-2588-417F-A743-E72D1E8EF4F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FBA01BF1-91AD-4968-9AC2-A194FCD6AB76\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B36CCD91-2A20-4C2E-96D5-73704DFC10E4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"485C401C-CC3B-4A74-82D6-F4539FFE48B8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9E99F5A-E693-43E9-8AB3-A3FCB21BCF14\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*\", \"matchCriteriaId\": \"9DDA92E9-C9CF-47B9-B647-0202D493D057\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*\", \"matchCriteriaId\": \"A682A487-A615-404C-A7D9-A28C0C31B4E7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*\", \"matchCriteriaId\": \"8930BA64-E9BC-42E0-9D74-8FA2ABD1F692\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"A87AE96A-F7FB-41A2-943C-DFAEA6D81446\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"946D2AB0-D334-4D94-BDA2-733BFC6C9E1E\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B5A6F2F3-4894-4392-8296-3B8DD2679084\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9070C9D8-A14A-467F-8253-33B966C16886\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"33C068A4-3780-4EAB-A937-6082DF847564\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"51EF4996-72F4-4FA4-814F-F5991E7A8318\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D99A687E-EAE6-417E-A88E-D0082BC194CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B353CE99-D57C-465B-AAB0-73EF581127D1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BF77CDCF-B9C9-427D-B2BF-36650FB2148C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D5F7E11E-FB34-4467-8919-2B6BEAABF665\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B76AA310-FEC7-497F-AF04-C3EC1E76C4CC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"825ECE2D-E232-46E0-A047-074B34DB1E97\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a \u0027\\\\0\u0027 byte, returning a pointer to a string of length zero, which is not the length stored in space_len.\"}, {\"lang\": \"es\", \"value\": \"Ruby hasta la versi\\u00f3n 2.2.7, 2.3.x hasta la 2.3.4, y 2.4.x hasta la 2.4.1 puede exponer memoria arbitraria durante una llamada JSON.generate. Los problemas surgen al usar strdup en ext/json/ext/generator/generator.c, el cual se detendr\\u00eda despu\\u00e9s de encontrar un byte \u0027\\\\0\u0027, devolviendo un puntero a un string de longitud cero, que no es la longitud almacenada en space_len.\"}]",
      "id": "CVE-2017-14064",
      "lastModified": "2024-11-21T03:12:04.947",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2017-08-31T17:29:00.183",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/100890\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1039363\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1042004\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:3485\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:0378\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:0583\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:0585\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugs.ruby-lang.org/issues/13853\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/209949\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201710-18\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/3685-1/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2017/dsa-3966\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/100890\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1039363\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1042004\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:3485\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:0378\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:0583\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:0585\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugs.ruby-lang.org/issues/13853\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/209949\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201710-18\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/3685-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2017/dsa-3966\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-119\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-14064\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-08-31T17:29:00.183\",\"lastModified\":\"2026-05-13T00:24:29.033\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a \u0027\\\\0\u0027 byte, returning a pointer to a string of length zero, which is not the length stored in space_len.\"},{\"lang\":\"es\",\"value\":\"Ruby hasta la versi\u00f3n 2.2.7, 2.3.x hasta la 2.3.4, y 2.4.x hasta la 2.4.1 puede exponer memoria arbitraria durante una llamada JSON.generate. Los problemas surgen al usar strdup en ext/json/ext/generator/generator.c, el cual se detendr\u00eda despu\u00e9s de encontrar un byte \u0027\\\\0\u0027, devolviendo un puntero a un string de longitud cero, que no es la longitud almacenada en space_len.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.2.7\",\"matchCriteriaId\":\"20D4B423-C141-4B08-9FE4-2ADCB868A224\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"822307DD-7F7D-44C2-9C4B-CB8704663410\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2D62AC9-83B8-4C84-A47E-2B06C2816964\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E583E49C-95B1-4AE4-AA7A-6D6BA7D470B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F197C5A-2588-417F-A743-E72D1E8EF4F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FBA01BF1-91AD-4968-9AC2-A194FCD6AB76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B36CCD91-2A20-4C2E-96D5-73704DFC10E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"485C401C-CC3B-4A74-82D6-F4539FFE48B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9E99F5A-E693-43E9-8AB3-A3FCB21BCF14\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DDA92E9-C9CF-47B9-B647-0202D493D057\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A682A487-A615-404C-A7D9-A28C0C31B4E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*\",\"matchCriteriaId\":\"8930BA64-E9BC-42E0-9D74-8FA2ABD1F692\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A87AE96A-F7FB-41A2-943C-DFAEA6D81446\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"946D2AB0-D334-4D94-BDA2-733BFC6C9E1E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B5A6F2F3-4894-4392-8296-3B8DD2679084\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9070C9D8-A14A-467F-8253-33B966C16886\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33C068A4-3780-4EAB-A937-6082DF847564\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51EF4996-72F4-4FA4-814F-F5991E7A8318\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D99A687E-EAE6-417E-A88E-D0082BC194CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B353CE99-D57C-465B-AAB0-73EF581127D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF77CDCF-B9C9-427D-B2BF-36650FB2148C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5F7E11E-FB34-4467-8919-2B6BEAABF665\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B76AA310-FEC7-497F-AF04-C3EC1E76C4CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"825ECE2D-E232-46E0-A047-074B34DB1E97\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/100890\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039363\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1042004\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:3485\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:0378\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:0583\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:0585\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.ruby-lang.org/issues/13853\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/209949\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201710-18\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/3685-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2017/dsa-3966\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100890\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039363\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1042004\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:3485\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:0378\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:0583\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:0585\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.ruby-lang.org/issues/13853\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/209949\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201710-18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/3685-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2017/dsa-3966\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

WID-SEC-W-2026-1420

Vulnerability from csaf_certbund - Published: 2017-08-31 22:00 - Updated: 2026-05-07 22:00

Summary

Ruby: Schwachstelle ermöglicht Offenlegung von Informationen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Ruby ist eine interpretierte, objektorientierte Skriptsprache.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Ruby ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2017-14064

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Ruby <2.2.7 Open Source / Ruby		<2.2.7
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Ruby <2.4.1 Open Source / Ruby		<2.4.1
Open Source Ruby <2.3.4 Open Source / Ruby		<2.3.4
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

References

18 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://nvd.nist.gov/vuln/detail/CVE-2017-14064	external
https://www.debian.org/security/2017/dsa-3966	external
http://www.ubuntu.com/usn/usn-3439-1/	external
https://security.gentoo.org/glsa/201710-18	external
https://access.redhat.com/errata/RHSA-2017:3485	external
http://www.ubuntu.com/usn/usn-3528-1/	external
https://access.redhat.com/errata/RHSA-2018:0378	external
http://linux.oracle.com/errata/ELSA-2018-0378.html	external
http://centos-announce.2309468.n4.nabble.com/Cent…	external
http://rhn.redhat.com/errata/RHSA-2018-0585.html	external
http://rhn.redhat.com/errata/RHSA-2018-0583.html	external
http://lists.suse.com/pipermail/sle-security-upda…	external
https://ubuntu.com/security/notices/USN-3685-2	external
https://access.redhat.com/errata/RHSA-2026:7305	external
https://access.redhat.com/errata/RHSA-2026:7307	external
https://access.redhat.com/errata/RHSA-2026:8838	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Ruby ist eine interpretierte, objektorientierte Skriptsprache.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Ruby ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1420 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2017/wid-sec-w-2026-1420.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1420 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1420"
      },
      {
        "category": "external",
        "summary": "Eintrag im National Vulnerability Database vom 2017-08-31",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14064"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-3966 vom 2017-09-06",
        "url": "https://www.debian.org/security/2017/dsa-3966"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-3439-1 vom 2017-10-05",
        "url": "http://www.ubuntu.com/usn/usn-3439-1/"
      },
      {
        "category": "external",
        "summary": "GENTOO Security Advisory GLSA201710-18 vom 2017-10-18",
        "url": "https://security.gentoo.org/glsa/201710-18"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2017:3485 vom 2017-12-19",
        "url": "https://access.redhat.com/errata/RHSA-2017:3485"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-3528-1 vom 2018-01-10",
        "url": "http://www.ubuntu.com/usn/usn-3528-1/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2018:0378 vom 2018-02-28",
        "url": "https://access.redhat.com/errata/RHSA-2018:0378"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2018-0378 vom 2018-03-01",
        "url": "http://linux.oracle.com/errata/ELSA-2018-0378.html"
      },
      {
        "category": "external",
        "summary": "CentOS Security Advisory CESA-2018:0378 vom 2018-03-10",
        "url": "http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2018-0378-Important-CentOS-7-ruby-Security-Update-tp4644999.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2018:0585 vom 2018-03-26",
        "url": "http://rhn.redhat.com/errata/RHSA-2018-0585.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2018:0583 vom 2018-03-26",
        "url": "http://rhn.redhat.com/errata/RHSA-2018-0583.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:1570-1 vom 2020-06-09",
        "url": "http://lists.suse.com/pipermail/sle-security-updates/2020-June/006905.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-3685-1 vom 2021-03-25",
        "url": "https://ubuntu.com/security/notices/USN-3685-2"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:7305 vom 2026-05-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:7305"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:7307 vom 2026-05-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:7307"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:8838 vom 2026-05-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:8838"
      }
    ],
    "source_lang": "en-US",
    "title": "Ruby: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2026-05-07T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-08T10:51:43.852+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1420",
      "initial_release_date": "2017-08-31T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2017-08-31T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initial Release"
        },
        {
          "date": "2017-08-31T22:00:00.000+00:00",
          "number": "2",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2017-09-05T22:00:00.000+00:00",
          "number": "3",
          "summary": "New remediations available"
        },
        {
          "date": "2017-09-07T22:00:00.000+00:00",
          "number": "4",
          "summary": "Added references"
        },
        {
          "date": "2017-10-17T22:00:00.000+00:00",
          "number": "5",
          "summary": "New remediations available"
        },
        {
          "date": "2017-12-19T23:00:00.000+00:00",
          "number": "6",
          "summary": "New remediations available"
        },
        {
          "date": "2018-01-10T23:00:00.000+00:00",
          "number": "7",
          "summary": "New remediations available"
        },
        {
          "date": "2018-02-28T23:00:00.000+00:00",
          "number": "8",
          "summary": "New remediations available"
        },
        {
          "date": "2018-03-11T23:00:00.000+00:00",
          "number": "9",
          "summary": "New remediations available"
        },
        {
          "date": "2018-03-25T22:00:00.000+00:00",
          "number": "10",
          "summary": "New remediations available"
        },
        {
          "date": "2020-06-09T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2021-03-25T23:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-07T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "13"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source CentOS",
            "product": {
              "name": "Open Source CentOS",
              "product_id": "1727",
              "product_identification_helper": {
                "cpe": "cpe:/o:centos:centos:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.2.7",
                "product": {
                  "name": "Open Source Ruby \u003c2.2.7",
                  "product_id": "T010664"
                }
              },
              {
                "category": "product_version",
                "name": "2.2.7",
                "product": {
                  "name": "Open Source Ruby 2.2.7",
                  "product_id": "T010664-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ruby-lang:ruby:2.2.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.3.4",
                "product": {
                  "name": "Open Source Ruby \u003c2.3.4",
                  "product_id": "T010665"
                }
              },
              {
                "category": "product_version",
                "name": "2.3.4",
                "product": {
                  "name": "Open Source Ruby 2.3.4",
                  "product_id": "T010665-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ruby-lang:ruby:2.3.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.4.1",
                "product": {
                  "name": "Open Source Ruby \u003c2.4.1",
                  "product_id": "T010666"
                }
              },
              {
                "category": "product_version",
                "name": "2.4.1",
                "product": {
                  "name": "Open Source Ruby 2.4.1",
                  "product_id": "T010666-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ruby-lang:ruby:2.4.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Ruby"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-14064",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T010664",
          "67646",
          "T000126",
          "T010666",
          "T010665",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2017-08-31T22:00:00.000+00:00",
      "title": "CVE-2017-14064"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-14064 (GCVE-0-2017-14064)

WID-SEC-W-2026-1420

Tags

Sightings

Nomenclature