CVE Vulnerabilities

CVE-2016-2337

Published: Jan 06, 2017 | Modified: Aug 28, 2018
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7 MODERATE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
NEGLIGIBLE

Type confusion exists in _cancel_eval Rubys TclTkIp class method. Attacker passing different type of object than String as retval argument can cause arbitrary code execution.

Affected Software

Name Vendor Start Version End Version
Ruby Ruby-lang 2.2.2 (including) 2.2.2 (including)
Ruby Ruby-lang 2.3.0 (including) 2.3.0 (including)
Ruby1.8 Ubuntu precise *
Ruby1.9.1 Ubuntu precise *
Ruby1.9.1 Ubuntu trusty *
Ruby2.0 Ubuntu trusty *

References