VDB
CVE-2009-4492
CVE-2009-4492
PUBLISHED
CVSS 9.300000190734863 CRITICAL
WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
EPSS 21.10% · 95.8th percentile
Risk Scores
CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
21.10%
95.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| RubyGems | webrick | 0 |
| ruby-lang | webrick | 1.3.1 |
| n/a | n/a | n/a |
Exploit Intelligence
- CIRCL confirmed: CVE-2009-4492 (circl-sighting)
- http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection (circl)
- RHSA-2011:0909 (circl)
- 37949 (circl)
- ADV-2010-0089 (circl)
- RHSA-2011:0908 (circl)
- http://www.ush.it/team/ush/hack_httpd_escape/adv.txt (circl)
- 37710 (circl)
- 20100110 Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection (circl)
- 1023429 (circl)
Timeline
- Jan 11, 2010 PoC Published
- Jan 13, 2010 CVE Published
- Feb 4, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- Jul 17, 2023 EPSS Score
- Sep 7, 2023 EPSS Score
- Dec 22, 2023 EPSS Score
- Feb 12, 2024 EPSS Score
References
- http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection url
- RHSA-2011:0909 vendor-advisory
- 37949 third-party-advisory
- ADV-2010-0089 vdb
- RHSA-2011:0908 vendor-advisory
- http://www.ush.it/team/ush/hack_httpd_escape/adv.txt url
- 37710 vdb
- 20100110 Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection mailing-list
- 1023429 vdb
- https://nvd.nist.gov/vuln/detail/CVE-2009-4492 advisory
- https://github.com/advisories/GHSA-6mq2-37j5-w6r6 advisory
- https://github.com/ruby/webrick package
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2009-4492.yml url
- https://web.archive.org/web/20100113155532/http://www.vupen.com/english/advisories/2010/0089 url
- https://web.archive.org/web/20100815010948/http://secunia.com/advisories/37949 url
- https://web.archive.org/web/20170402100552/http://securitytracker.com/id?1023429 url
- https://web.archive.org/web/20170908140655/http://www.securityfocus.com/archive/1/508830/100/0/threaded url
- https://web.archive.org/web/20200228145937/http://www.securityfocus.com/bid/37710 url