VDB
CVE-2008-1891
CVE-2008-1891
PUBLISHED
CVSS 5 MEDIUM
Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option.
EPSS 0.21% · 42.9th percentile
Risk Scores
CVSS v2.0
5
EPSS Score
0.21%
42.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| ruby-lang | ruby | 0, 1.8.6, 1.8.5 |
| n/a | n/a | * |
Timeline
- Apr 18, 2008 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 17, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Apr 1, 2023 EPSS Score
- May 24, 2023 EPSS Score
- Jul 15, 2023 EPSS Score
References
- 29794 third-party-advisory
- SUSE-SR:2008:017 vendor-advisory
- MDVSA-2008:141 vendor-advisory
- ruby-webrick-cgi-info-disclosure(41824) vdb
- 31687 third-party-advisory
- http://aluigi.altervista.org/adv/webrickcgi-adv.txt url
- FEDORA-2008-5649 vendor-advisory
- MDVSA-2008:140 vendor-advisory
- 30831 third-party-advisory
- ADV-2008-1245 vdb
- http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ url
- https://nvd.nist.gov/vuln/detail/CVE-2008-1891 advisory
- http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities url