CVE-2014-10077 - Vulnerability Details - OpenCVE

Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
I18n Project	I18n

Configuration 1 [-]

cpe:2.3:a:i18n_project:i18n:*:*:*:*:*:ruby:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/rubysec/ruby-advisory-db/pull/182/files
https://github.com/svenfuchs/i18n/pull/289
https://github.com/svenfuchs/i18n/releases/tag/v0.8.0
https://lists.debian.org/debian-lts-announce/2018/11/msg00021.html
https://nvd.nist.gov/vuln/detail/CVE-2014-10077
https://www.cve.org/CVERecord?id=CVE-2014-10077

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-11-06T16:00:00

Updated: 2024-08-06T14:02:38.314Z

Reserved: 2018-11-06T00:00:00

Link: CVE-2014-10077

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-11-06T15:29:00.230

Modified: 2024-11-21T02:03:28.270

Link: CVE-2014-10077

Redhat

Severity : Low

Publid Date: 2015-07-20T00:00:00Z

Links: CVE-2014-10077 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-11-06T00:00:00", "descriptions": [{"lang": "en", "value": "Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-11-22T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/svenfuchs/i18n/releases/tag/v0.8.0"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/rubysec/ruby-advisory-db/pull/182/files"}, {"name": "[debian-lts-announce] 20181121 [SECURITY] [DLA 1584-1] ruby-i18n security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/svenfuchs/i18n/pull/289"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-10077", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/svenfuchs/i18n/releases/tag/v0.8.0", "refsource": "MISC", "url": "https://github.com/svenfuchs/i18n/releases/tag/v0.8.0"}, {"name": "https://github.com/rubysec/ruby-advisory-db/pull/182/files", "refsource": "MISC", "url": "https://github.com/rubysec/ruby-advisory-db/pull/182/files"}, {"name": "[debian-lts-announce] 20181121 [SECURITY] [DLA 1584-1] ruby-i18n security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00021.html"}, {"name": "https://github.com/svenfuchs/i18n/pull/289", "refsource": "MISC", "url": "https://github.com/svenfuchs/i18n/pull/289"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T14:02:38.314Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/svenfuchs/i18n/releases/tag/v0.8.0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rubysec/ruby-advisory-db/pull/182/files"}, {"name": "[debian-lts-announce] 20181121 [SECURITY] [DLA 1584-1] ruby-i18n security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/svenfuchs/i18n/pull/289"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-10077", "datePublished": "2018-11-06T16:00:00", "dateReserved": "2018-11-06T00:00:00", "dateUpdated": "2024-08-06T14:02:38.314Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:i18n_project:i18n:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "B45FB474-EB9A-493C-9614-9EA2B9E029BD", "versionEndExcluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash."}, {"lang": "es", "value": "Hash#slice en lib/i18n/core_ext/hash.rb en la gema i18n en versiones anteriores a la 0.8.0 para Ruby permite que atacantes remotos provoquen una denegaci\u00f3n de servicio (cierre inesperado de la aplicaci\u00f3n) mediante una llamada en una situaci\u00f3n en la que :some_key est\u00e1 presente en keep_keys, pero no en el hash."}], "id": "CVE-2014-10077", "lastModified": "2024-11-21T02:03:28.270", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-06T15:29:00.230", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rubysec/ruby-advisory-db/pull/182/files"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/svenfuchs/i18n/pull/289"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/svenfuchs/i18n/releases/tag/v0.8.0"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rubysec/ruby-advisory-db/pull/182/files"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/svenfuchs/i18n/pull/289"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/svenfuchs/i18n/releases/tag/v0.8.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "rubygem-i18n: denial of service in Hash#slice in lib/i18n/core_ext/hash.rb", "id": "1647431", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1647431"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash."], "name": "CVE-2014-10077", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Not affected", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.2", "fix_state": "Will not fix", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.2"}, {"cpe": "cpe:/a:redhat:openshift:3.3", "fix_state": "Will not fix", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.3"}, {"cpe": "cpe:/a:redhat:openshift:3.4", "fix_state": "Will not fix", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.4"}, {"cpe": "cpe:/a:redhat:openshift:3.5", "fix_state": "Will not fix", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.5"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Not affected", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Not affected", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Not affected", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openshift:3.1", "fix_state": "Will not fix", "package_name": "rubygem-i18n", "product_name": "Red Hat OpenShift Enterprise 3.1"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "tfm-rubygem-i18n", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ror42-rubygem-i18n", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ror50-rubygem-i18n", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "rubygem-i18n", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-i18n", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "rubygem-i18n", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2015-07-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-10077\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-10077"], "statement": "Red Hat Satellite 6.2 is now in Maintenance support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite Product Life Cycle: https://access.redhat.com/support/policy/updates/satellite\nRed Hat Satellite 6.3 and 6.4 don't include vulnerable package tfm-rubygem-i18n, hence are not affected by this flaw.\nSubscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates.", "threat_severity": "Low", "upstream_fix": "rubygem-i18n 0.8.0"}