Description
(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.
References (7)
Core 7
Core References
Various Sources x_refsource_confirm
https://puppet.com/security/cve/cve-2013-2065
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107064.html
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2035-1
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107098.html
Vendor Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-10/msg00057.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107120.html
Scores
EPSS
0.0251
EPSS Percentile
83.0%
Details
CWE
CWE-264
Status
published
Products (8)
opensuse/opensuse
12.2
opensuse/opensuse
12.3
ruby-lang/ruby
1.9
ruby-lang/ruby
1.9.1
ruby-lang/ruby
1.9.2
ruby-lang/ruby
1.9.3 (8 CPE variants)
ruby-lang/ruby
2.0
ruby-lang/ruby
2.0.0 (6 CPE variants)
Published
Nov 02, 2013
Tracked Since
Feb 18, 2026