CVE-2018-8780

Public on 2018-04-03

Modified on 2019-08-27

Description

It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script.

Severity

Medium

See what this means

CVSS v3 Base Score

6.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	ruby	2019-08-23 03:41	ALAS2-2019-1276
Amazon Linux 1	ruby20	2018-04-04 23:18	ALAS-2018-983
Amazon Linux 1	ruby22	2018-04-04 23:18	ALAS-2018-983
Amazon Linux 1	ruby23	2018-04-04 23:18	ALAS-2018-983
Amazon Linux 1	ruby24	2018-04-04 23:18	ALAS-2018-983

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
NVD	CVSSv2	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
NVD	CVSSv3	9.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Red Hat: CVE-2018-8780 Mitre: CVE-2018-8780 FAQs regarding Amazon Linux ALAS/CVE Severity