{
  "threat_severity" : "Moderate",
  "public_date" : "2017-09-14T00:00:00Z",
  "bugzilla" : {
    "description" : "ruby: Buffer underrun vulnerability in Kernel.sprintf",
    "id" : "1492015",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1492015"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-122",
  "details" : [ "Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.", "A buffer underflow was found in ruby's sprintf function. An attacker, with ability to control its format string parameter, could send a specially crafted string that would disclose heap memory or crash the interpreter." ],
  "statement" : "This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2018-02-28T00:00:00Z",
    "advisory" : "RHSA-2018:0378",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "ruby-0:2.0.0.648-33.el7_4"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-12-19T00:00:00Z",
    "advisory" : "RHSA-2017:3485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-ruby24-ruby-0:2.4.2-86.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0583",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-ruby22-ruby-0:2.2.9-19.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0585",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-ruby23-ruby-0:2.3.6-67.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-12-19T00:00:00Z",
    "advisory" : "RHSA-2017:3485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-ruby24-ruby-0:2.4.2-86.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0583",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-ruby22-ruby-0:2.2.9-19.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0585",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-ruby23-ruby-0:2.3.6-67.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-12-19T00:00:00Z",
    "advisory" : "RHSA-2017:3485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby24-ruby-0:2.4.2-86.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0583",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby22-ruby-0:2.2.9-19.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0585",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby23-ruby-0:2.3.6-67.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-12-19T00:00:00Z",
    "advisory" : "RHSA-2017:3485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby24-ruby-0:2.4.2-86.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0583",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby22-ruby-0:2.2.9-19.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0585",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby23-ruby-0:2.3.6-67.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2017-12-19T00:00:00Z",
    "advisory" : "RHSA-2017:3485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby24-ruby-0:2.4.2-86.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0583",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby22-ruby-0:2.2.9-19.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-03-26T00:00:00Z",
    "advisory" : "RHSA-2018:0585",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby23-ruby-0:2.3.6-67.el7"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Not affected",
    "package_name" : "rh-ruby22-ruby",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Not affected",
    "package_name" : "ruby-200-ruby",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager",
    "fix_state" : "Will not fix",
    "package_name" : "ruby193-ruby",
    "cpe" : "cpe:/a:rhel_sam:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-0898\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-0898\nhttps://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/" ],
  "name" : "CVE-2017-0898",
  "csaw" : false
}