CVE Vulnerabilities

CVE-2017-0898

Use of Externally-Controlled Format String

Published: Sep 15, 2017 | Modified: Apr 20, 2025
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVSS 2.x
6.4 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:P
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
Ubuntu
MEDIUM

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name Vendor Start Version End Version
Ruby Ruby-lang 2.2.0 (including) 2.2.0 (including)
Ruby Ruby-lang 2.2.1 (including) 2.2.1 (including)
Ruby Ruby-lang 2.2.2 (including) 2.2.2 (including)
Ruby Ruby-lang 2.2.3 (including) 2.2.3 (including)
Ruby Ruby-lang 2.2.4 (including) 2.2.4 (including)
Ruby Ruby-lang 2.2.5 (including) 2.2.5 (including)
Ruby Ruby-lang 2.2.6 (including) 2.2.6 (including)
Ruby Ruby-lang 2.2.7 (including) 2.2.7 (including)
Ruby Ruby-lang 2.3.0 (including) 2.3.0 (including)
Ruby Ruby-lang 2.3.1 (including) 2.3.1 (including)
Ruby Ruby-lang 2.3.2 (including) 2.3.2 (including)
Ruby Ruby-lang 2.3.3 (including) 2.3.3 (including)
Ruby Ruby-lang 2.3.4 (including) 2.3.4 (including)
Ruby Ruby-lang 2.4.0 (including) 2.4.0 (including)
Ruby Ruby-lang 2.4.1 (including) 2.4.1 (including)
Red Hat Enterprise Linux 7 RedHat ruby-0:2.0.0.648-33.el7_4 *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat rh-ruby24-ruby-0:2.4.2-86.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat rh-ruby22-ruby-0:2.2.9-19.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat rh-ruby23-ruby-0:2.3.6-67.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS RedHat rh-ruby24-ruby-0:2.4.2-86.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS RedHat rh-ruby22-ruby-0:2.2.9-19.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS RedHat rh-ruby23-ruby-0:2.3.6-67.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-ruby24-ruby-0:2.4.2-86.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-ruby22-ruby-0:2.2.9-19.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-ruby23-ruby-0:2.3.6-67.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS RedHat rh-ruby24-ruby-0:2.4.2-86.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS RedHat rh-ruby22-ruby-0:2.2.9-19.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS RedHat rh-ruby23-ruby-0:2.3.6-67.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat rh-ruby24-ruby-0:2.4.2-86.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat rh-ruby22-ruby-0:2.2.9-19.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat rh-ruby23-ruby-0:2.3.6-67.el7 *
Ruby1.9.1 Ubuntu trusty *
Ruby2.0 Ubuntu trusty *
Ruby2.3 Ubuntu artful *
Ruby2.3 Ubuntu esm-infra/xenial *
Ruby2.3 Ubuntu upstream *
Ruby2.3 Ubuntu xenial *
Ruby2.3 Ubuntu zesty *

Potential Mitigations

References