Ruby TclTkIp 'ip_cancel_eval()' Function Type Confusion Remote Code Execution Vulnerability



Ruby is prone to a remote code-execution vulnerability.

Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause a denial-of-service condition.

Ruby versions 2.2.2, and 2.3.0 are vulnerable.

Information

Bugtraq ID: 91233
Class: Unknown
CVE: CVE-2016-2337

Remote: Yes
Local: No
Published: Jun 14 2016 12:00AM
Updated: Jul 26 2017 10:08AM
Credit: Marcin ‘Icewall’ Noga of Cisco Talos.
Vulnerable: Yukihiro Matsumoto Ruby 2.3.0
Yukihiro Matsumoto Ruby 2.2.2
Ubuntu Ubuntu Linux 17.04
Ubuntu Ubuntu Linux 16.04 LTS
Ubuntu Ubuntu Linux 14.04 LTS


Not Vulnerable:

Exploit


The researcher who discovered this issue has created a proof-of-concept. Please see the references for more information.


Related Posts

Comments