{
  "threat_severity" : "Low",
  "public_date" : "2018-03-28T00:00:00Z",
  "bugzilla" : {
    "description" : "ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket",
    "id" : "1561948",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1561948"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-626",
  "details" : [ "In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.", "It was found that the UNIXSocket::open and UNIXServer::open ruby methods did not handle the NULL byte properly. An attacker, able to inject NULL bytes in the socket path, could possibly trigger an unspecified behavior of the ruby script." ],
  "statement" : "This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-08-06T00:00:00Z",
    "advisory" : "RHSA-2019:2028",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "ruby-0:2.0.0.648-36.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3729",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-ruby23-ruby-0:2.3.8-69.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3730",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-ruby24-ruby-0:2.4.5-91.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3729",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby23-ruby-0:2.3.8-69.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3730",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby24-ruby-0:2.4.5-91.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3731",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby25-ruby-0:2.5.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3729",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby23-ruby-0:2.3.8-69.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3730",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby24-ruby-0:2.4.5-91.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3731",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby25-ruby-0:2.5.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3729",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby23-ruby-0:2.3.8-69.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3730",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby24-ruby-0:2.4.5-91.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3731",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby25-ruby-0:2.5.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3729",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby23-ruby-0:2.3.8-69.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3730",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby24-ruby-0:2.4.5-91.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2018-11-29T00:00:00Z",
    "advisory" : "RHSA-2018:3731",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-ruby25-ruby-0:2.5.3-6.el7"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Affected",
    "package_name" : "rh-ruby22-ruby",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Affected",
    "package_name" : "ruby-200-ruby",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-ruby22-ruby",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager",
    "fix_state" : "Will not fix",
    "package_name" : "ruby193-ruby",
    "cpe" : "cpe:/a:rhel_sam:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-8779\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-8779\nhttps://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/" ],
  "name" : "CVE-2018-8779",
  "mitigation" : {
    "value" : "It is possible to test for presence of the NULL byte manually prior to call the affected methods.",
    "lang" : "en:us"
  },
  "csaw" : false
}