CVE-2016-2337

Advisory lineage Upstream: 0 Downstream: 4

Downstream

DLA-1480-1 MGASA-2017-0290 UBUNTU-CVE-2016-2337 USN-3365-1

Modified

Published: 06 Jan 2017, 21:00

Last modified:05 Aug 2024, 23:24

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.0 (nvd)

EPSS Score

0.8% LOW

1% probability -0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

06 Jan 2017, 21:00

Published

Vulnerability first disclosed

05 Aug 2024, 23:24

Last Modified

Vulnerability information updated

Description

Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.

CVSS Metrics

v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.80%• Percentile: 74%

Affected Systems

ruby-lang•ruby
2.2.2 | 2.3.0
ruby•ruby
2.3.0 dev | 2.2.2
tcl•tcl\/tk
8.6 or later