CVE-2018-8778
Publication date 3 April 2018
Last updated 25 August 2025
Ubuntu priority
Description
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ruby2.0 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 2.0.0.484-1ubuntu2.9
|
|
| ruby1.9.1 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 1.9.3.484-2ubuntu1.11
|
|
| ruby2.3 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial |
Fixed 2.3.1-2~16.04.9
|
|
| 14.04 LTS trusty | Not in release | |
| ruby2.5 | 18.04 LTS bionic |
Fixed 2.5.1-1
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.5 · High
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
Related Ubuntu Security Notices (USN)
- USN-3626-1
- Ruby vulnerabilities
- 16 April 2018