CVE-2017-0898

Summary

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.

Affected Software

VendorProductVersion RangeStatus
HackerOneRubyVersions before 2.4.2, 2.3.5, and 2.2.8affected

Weaknesses

  • CWE-134: Format String Vulnerability (CWE-134)

ADP Enrichment

CVE Program Container

Additional References

References