Ruby 2.4.0 Onigmo regparse.c parse_char_class Regular Expression input validation
A vulnerability was found in Ruby 2.4.0. It has been classified as problematic. This affects the function
parse_char_class of the file regparse.c of the component Onigmo. The manipulation as part of Regular Expression leads to improper input validation. The CWE definition for the vulnerability is CWE-20. The bug was discovered 02/20/2017. The weakness was shared 04/03/2017 as 13234 (Website). The advisory is shared at bugs.ruby-lang.org.
This vulnerability is uniquely identified as CVE-2017-6181. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The price for an exploit might be around USD $0-$5k at the moment.
It is declared as not defined. The vulnerability was handled as a non-public zero-day exploit for at least 42 days. We expect the 0-day to have been worth approximately $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 111873 (Photon OS 1.0: Libxml2 / Ncurses / Openldap / Ruby PHSA-2017-0024 (deprecated)), which helps to determine the existence of the flaw in a target environment.
A possible mitigation has been published 4 months after the disclosure of the vulnerability.
The vulnerability is also documented other vulnerability databases: SecurityFocus (BID 97304) and Tenable (111873).
Want to stay up to date on a daily basis?
Enable the mail alert feature now!