What is CVE-2017-0898?

CVE-2017-0898 is a critical-severity vulnerability in Hackerone Ruby, classified under Use of Externally-Controlled Format String. CVSS score: 9.1/10. Published 2017-09-15.

How severe is CVE-2017-0898?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Vulnerability in Hackerone Ruby

CVE-2017-0898

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an inform…

EPSS: 0.014 (80.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H.

Affected products

Hackerone Ruby — versions Versions before 2.4.2, 2.3.5, and 2.2.8
Ruby-lang Ruby — versions 2.2.0, 2.2.1, 2.2.2

Weakness classification (CWE)

CWE-134 — Use of Externally-Controlled Format String

References

support@hackerone.com (x_refsource_UBUNTU, vendor-advisory)
support@hackerone.com (Exploit, Third Party Advisory, x_refsource_MISC)
support@hackerone.com (x_refsource_REDHAT, vendor-advisory)
support@hackerone.com (x_refsource_REDHAT, vendor-advisory)
support@hackerone.com (vendor-advisory, x_refsource_DEBIAN)
support@hackerone.com (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)
support@hackerone.com (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_SECTRACK)
support@hackerone.com (x_refsource_REDHAT, vendor-advisory)
support@hackerone.com (mailing-list, x_refsource_MLIST)
support@hackerone.com (x_refsource_REDHAT, vendor-advisory)

Frequently asked questions

What is CVE-2017-0898?: CVE-2017-0898 is a critical-severity vulnerability in Hackerone Ruby, classified under Use of Externally-Controlled Format String. CVSS score: 9.1/10. Published 2017-09-15.
How severe is CVE-2017-0898?: Critical severity. CVSS v3 base score is 9.1 out of 10.