NVD Vulnerability Detail

CVE-2008-2725

Summary	Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
Summary	Un desbordamiento de enteros en la función (1) rb_ary_splice en Ruby 1.8.4 y versiones anteriores, 1.8.5 anterior a versión 1.8.5-p231, 1.8.6 anterior a versión 1.8.6-p230 y 1.8.7 anterior a versión 1.8.7-p22; y (2) la función rb_ary_replace en 1.6.x permite a los atacantes dependiendo del contexto desencadenar una corrupción en la memoria por medio de vectores no especificados, también se conoce como la variante "REALLOC_N", un problema diferente a los CVE-2008-2662, CVE-2008-2663 y CVE-2008-2664. NOTA: a partir de 20080624, ha habido un uso incoherente de varios identificadores CVE relacionados con Ruby. La descripción del CVE debe considerarse autorizada, aunque es probable que cambie.
Publication Date	June 25, 2008, 4:41 a.m.
Registration Date	Jan. 29, 2021, 1:37 p.m.
Last Update	April 23, 2026, 9:35 a.m.

CVSS2.0 : HIGH
Score	7.8
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:C
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	高
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ruby-lang:ruby::::::::		1.8.4
cpe:2.3:a:ruby-lang:ruby::::::::	1.8.5			1.8.5.231
cpe:2.3:a:ruby-lang:ruby::::::::	1.8.6			1.8.6.230
cpe:2.3:a:ruby-lang:ruby::::::::	1.8.7			1.8.7.22
cpe:2.3:o:debian:debian_linux:4.0:::::::*
cpe:2.3:o:canonical:ubuntu_linux:6.06::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:8.04::::lts:::

Related information, measures and tools

No	URL	refsource
1	http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/	secalert@redhat.com
2	http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html	secalert@redhat.com
3	http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html	secalert@redhat.com
4	http://secunia.com/advisories/30802	secalert@redhat.com
5	http://secunia.com/advisories/30831	secalert@redhat.com
6	http://secunia.com/advisories/30867	secalert@redhat.com
7	http://secunia.com/advisories/30875	secalert@redhat.com
8	http://secunia.com/advisories/30894	secalert@redhat.com
9	http://secunia.com/advisories/31062	secalert@redhat.com
10	http://secunia.com/advisories/31090	secalert@redhat.com
11	http://secunia.com/advisories/31181	secalert@redhat.com
12	http://secunia.com/advisories/31256	secalert@redhat.com
13	http://secunia.com/advisories/31687	secalert@redhat.com
14	http://secunia.com/advisories/33178	secalert@redhat.com
15	http://security.gentoo.org/glsa/glsa-200812-17.xml	secalert@redhat.com
16	http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562	secalert@redhat.com
17	http://support.apple.com/kb/HT2163	secalert@redhat.com
18	http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities	secalert@redhat.com
19	http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206	secalert@redhat.com
20	http://www.debian.org/security/2008/dsa-1612	secalert@redhat.com
21	http://www.debian.org/security/2008/dsa-1618	secalert@redhat.com
22	http://www.mandriva.com/security/advisories?name=MDVSA-2008:140	secalert@redhat.com
23	http://www.mandriva.com/security/advisories?name=MDVSA-2008:141	secalert@redhat.com
24	http://www.mandriva.com/security/advisories?name=MDVSA-2008:142	secalert@redhat.com
25	http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/	secalert@redhat.com
26	http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.html	secalert@redhat.com
27	http://www.redhat.com/support/errata/RHSA-2008-0561.html	secalert@redhat.com
28	http://www.ruby-forum.com/topic/157034	secalert@redhat.com
29	http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/	secalert@redhat.com
30	http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html	secalert@redhat.com
31	http://www.securityfocus.com/archive/1/493688/100/0/threaded	secalert@redhat.com
32	http://www.securityfocus.com/bid/29903	secalert@redhat.com
33	http://www.securitytracker.com/id?1020347	secalert@redhat.com
34	http://www.ubuntu.com/usn/usn-621-1	secalert@redhat.com
35	http://www.vupen.com/english/advisories/2008/1907/references	secalert@redhat.com
36	http://www.vupen.com/english/advisories/2008/1981/references	secalert@redhat.com
37	http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html	secalert@redhat.com
38	https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657	secalert@redhat.com
39	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727	secalert@redhat.com
40	https://exchange.xforce.ibmcloud.com/vulnerabilities/43350	secalert@redhat.com
41	https://issues.rpath.com/browse/RPL-2626	secalert@redhat.com
42	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9606	secalert@redhat.com
43	https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html	secalert@redhat.com
44	http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/	af854a3a-2127-422b-91ae-364da2661108
45	http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html	af854a3a-2127-422b-91ae-364da2661108
46	http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html	af854a3a-2127-422b-91ae-364da2661108
47	http://secunia.com/advisories/30802	af854a3a-2127-422b-91ae-364da2661108
48	http://secunia.com/advisories/30831	af854a3a-2127-422b-91ae-364da2661108
49	http://secunia.com/advisories/30867	af854a3a-2127-422b-91ae-364da2661108
50	http://secunia.com/advisories/30875	af854a3a-2127-422b-91ae-364da2661108
51	http://secunia.com/advisories/30894	af854a3a-2127-422b-91ae-364da2661108
52	http://secunia.com/advisories/31062	af854a3a-2127-422b-91ae-364da2661108
53	http://secunia.com/advisories/31090	af854a3a-2127-422b-91ae-364da2661108
54	http://secunia.com/advisories/31181	af854a3a-2127-422b-91ae-364da2661108
55	http://secunia.com/advisories/31256	af854a3a-2127-422b-91ae-364da2661108
56	http://secunia.com/advisories/31687	af854a3a-2127-422b-91ae-364da2661108
57	http://secunia.com/advisories/33178	af854a3a-2127-422b-91ae-364da2661108
58	http://security.gentoo.org/glsa/glsa-200812-17.xml	af854a3a-2127-422b-91ae-364da2661108
59	http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.429562	af854a3a-2127-422b-91ae-364da2661108
60	http://support.apple.com/kb/HT2163	af854a3a-2127-422b-91ae-364da2661108
61	http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities	af854a3a-2127-422b-91ae-364da2661108
62	http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206	af854a3a-2127-422b-91ae-364da2661108
63	http://www.debian.org/security/2008/dsa-1612	af854a3a-2127-422b-91ae-364da2661108
64	http://www.debian.org/security/2008/dsa-1618	af854a3a-2127-422b-91ae-364da2661108
65	http://www.mandriva.com/security/advisories?name=MDVSA-2008:140	af854a3a-2127-422b-91ae-364da2661108
66	http://www.mandriva.com/security/advisories?name=MDVSA-2008:141	af854a3a-2127-422b-91ae-364da2661108
67	http://www.mandriva.com/security/advisories?name=MDVSA-2008:142	af854a3a-2127-422b-91ae-364da2661108
68	http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/	af854a3a-2127-422b-91ae-364da2661108
69	http://www.redhat.com/archives/fedora-security-commits/2008-June/msg00005.html	af854a3a-2127-422b-91ae-364da2661108
70	http://www.redhat.com/support/errata/RHSA-2008-0561.html	af854a3a-2127-422b-91ae-364da2661108
71	http://www.ruby-forum.com/topic/157034	af854a3a-2127-422b-91ae-364da2661108
72	http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/	af854a3a-2127-422b-91ae-364da2661108
73	http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html	af854a3a-2127-422b-91ae-364da2661108
74	http://www.securityfocus.com/archive/1/493688/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
75	http://www.securityfocus.com/bid/29903	af854a3a-2127-422b-91ae-364da2661108
76	http://www.securitytracker.com/id?1020347	af854a3a-2127-422b-91ae-364da2661108
77	http://www.ubuntu.com/usn/usn-621-1	af854a3a-2127-422b-91ae-364da2661108
78	http://www.vupen.com/english/advisories/2008/1907/references	af854a3a-2127-422b-91ae-364da2661108
79	http://www.vupen.com/english/advisories/2008/1981/references	af854a3a-2127-422b-91ae-364da2661108
80	http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html	af854a3a-2127-422b-91ae-364da2661108
81	https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657	af854a3a-2127-422b-91ae-364da2661108
82	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727	af854a3a-2127-422b-91ae-364da2661108
83	https://exchange.xforce.ibmcloud.com/vulnerabilities/43350	af854a3a-2127-422b-91ae-364da2661108
84	https://issues.rpath.com/browse/RPL-2626	af854a3a-2127-422b-91ae-364da2661108
85	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9606	af854a3a-2127-422b-91ae-364da2661108
86	https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00937.html	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html