NVD Vulnerability Detail

CVE-2015-3649

Summary	The open-uri-cached rubygem allows local users to execute arbitrary Ruby code by creating a directory under /tmp containing "openuri-" followed by a crafted UID, and putting Ruby code in said directory once a meta file is created.
Publication Date	Aug. 19, 2017, 1:29 a.m.
Registration Date	Jan. 26, 2021, 2:49 p.m.
Last Update	Nov. 21, 2024, 11:29 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:open-uri-cached_project:open-uri-cached:0.0.5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.benjaminfleischer.com/2013/03/20/yaml-and-security-in-ruby/	Third Party Advisory
2	http://www.benjaminfleischer.com/2013/03/20/yaml-and-security-in-ruby/	Third Party Advisory
3	http://www.openwall.com/lists/oss-security/2015/05/06/2	Mailing List Third Party Advisory
4	http://www.openwall.com/lists/oss-security/2015/05/06/2	Mailing List Third Party Advisory
5	http://www.securityfocus.com/bid/74469	Third Party Advisory VDB Entry
6	http://www.securityfocus.com/bid/74469	Third Party Advisory VDB Entry
7	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L115	Third Party Advisory
8	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L115	Third Party Advisory
9	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L25	Third Party Advisory
10	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L25	Third Party Advisory
11	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L39	Third Party Advisory
12	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L39	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

JVN Vulnerability Information

open-uri-cached rubygem における入力確認に関する脆弱性

Title	open-uri-cached rubygem における入力確認に関する脆弱性
Summary	open-uri-cached rubygem には、入力確認に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	May 5, 2015, midnight
Registration Date	Sept. 13, 2017, 2:41 p.m.
Last Update	Sept. 13, 2017, 2:41 p.m.

Affected System

open-uri-cached project

open-uri-cached

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-3649	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3649
National Vulnerability Database (NVD)
2	CVE-2015-3649	https://nvd.nist.gov/vuln/detail/CVE-2015-3649

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
GitHub
1	open-uri-cached/lib/open-uri/cached.rb (L115)	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L115
2	open-uri-cached/lib/open-uri/cached.rb (L25)	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L25
3	open-uri-cached/lib/open-uri/cached.rb (L39)	https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L39
open-uri-cached
4	open-uri-cached	https://rubygems.org/gems/open-uri-cached

その他

No	Name	URL
関連文書
1	RubyGems open-uri-cached 'cached.rb' Local Privilege Escalation Vulnerability	http://www.securityfocus.com/bid/74469

Change Log

No	Changed Details	Date of change
0	[2017年09月13日] 掲載	Feb. 17, 2018, 10:37 a.m.