CVE-2019-15845 log

Severity Medium
Remote Yes
Type Insufficient validation
It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is vulnerable to NUL injection in built-in methods (File.fnmatch and File.fnmatch?). An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author.
The Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character (\0), the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern argument, an attacker can make it wrongly match a pathname that is the second parameter.
Group Package Affected Fixed Severity Status Ticket
AVG-1040 ruby2.5 2.5.6-1 2.5.7-1 Medium Fixed FS#63977
AVG-1039 ruby 2.6.4-1 2.6.5-1 Medium Fixed FS#63977
Date Advisory Group Package Severity Type
02 Oct 2019 ASA-201910-5 AVG-1040 ruby2.5 Medium multiple issues
02 Oct 2019 ASA-201910-2 AVG-1039 ruby Medium multiple issues