GHSA-2gw2-8q9w-cw8p

Source

https://github.com/advisories/GHSA-2gw2-8q9w-cw8p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-2gw2-8q9w-cw8p/GHSA-2gw2-8q9w-cw8p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2gw2-8q9w-cw8p

Aliases

CVE-2018-1000201

Published

2018-08-31T14:55:43Z

Modified

2024-02-16T08:15:21.317366Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Ruby-ffi has a DLL loading issue

Details

ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.

Database specific

{
    "github_reviewed_at": "2020-06-16T20:52:04Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-426"
    ],
    "severity": "HIGH"
}

References

Affected packages

RubyGems / ffi

Package

Name: ffi
Purl: pkg:gem/ffi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.24

Affected versions

0.*

0.1.0

0.1.1

0.2.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4.0

0.5.0

0.5.1

0.5.3

0.5.4

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.9

1.0.10

1.0.11

1.0.12.pre

1.0.12.rc1

1.0.12.rc2

1.0.12.rc3

1.1.0.rc1

1.1.0.rc2

1.1.0.rc3

1.1.0.rc4

1.1.0

1.1.1.rc1

1.1.1.rc2

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6.pre1

1.1.6.pre2

1.2.0.dev

1.2.0.dev2

1.2.0.dev3

1.2.0.dev4

1.2.0.pre1

1.2.0.pre2

1.2.0.pre3

1.2.0.pre4

1.2.0.pre5

1.2.0.pre6

1.2.0

1.2.1

1.3.0

1.3.1

1.4.0

1.4.1.dev

1.5.0.pre1

1.5.0

1.6.0

1.7.0.dev

1.7.0

1.8.1

1.9.0

1.9.3

1.9.5

1.9.6

1.9.8

1.9.9

1.9.10

1.9.11

1.9.12

1.9.13

1.9.14

1.9.15

1.9.16

1.9.17

1.9.18

1.9.21

1.9.22

1.9.23.pre1

1.9.23