CVE-2018-16396

Public on 2018-11-16

Modified on 2020-08-12

Description

An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.

Severity

Medium

See what this means

CVSS v3 Base Score

5.9

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	ruby	2019-08-23 03:41	ALAS2-2019-1276
Amazon Linux 1	ruby20	2020-08-10 23:07	ALAS-2020-1416
Amazon Linux 1	ruby23	2018-12-06 00:31	ALAS-2018-1113
Amazon Linux 1	ruby24	2018-12-06 00:31	ALAS-2018-1113

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD	CVSSv2	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
NVD	CVSSv3	8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2018-16396 Mitre: CVE-2018-16396 FAQs regarding Amazon Linux ALAS/CVE Severity