Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Ruby 2.3.x and 2.2.x still bundle DoS vulnerable verision of libYAML

Medium
R
Ruby
Submitted None
Actions:
View on HackerOne
Reported by usa

Vulnerability Details

Technical details and impact analysis

Memory Corruption - Generic
libYAML 0.1.6 (and 0.1.5) has a DoS vulnerablitity known as [CVE-2014-9130](http://www.cvedetails.com/cve/CVE-2014-9130/). Now Ruby 2.4.x bundles fixed version 0.1.7, but 2.3.x and 2.2.x still bundle 0.1.6. Note that I'm the maintainer of Ruby 2.3.x and 2.2.x. Therefore, this report is a kind of remainder.

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2014-9130 UNKNOWN

scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Memory Corruption - Generic