VIR Vulnerability Intelligence Relay

CVE-2009-4492

unknown
Published 2017-10-24 ยท Modified 2025-05-22
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
1.0

Description

WEBrick Improper Input Validation vulnerability

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-33489 remote multiple verified text ยท 1 KB
evilaliv3 ยท 2010-01-11

Ruby 1.9.1 - WEBrick 'Terminal Escape Sequence in Logs' Command Injection

text exploit Source: Exploit-DB 
source: https://www.securityfocus.com/bid/37710/info


Ruby WEBrick is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in log files.

Attackers can exploit this issue to execute arbitrary commands in a terminal.

Versions *prior to* the following are affected:

Ruby 1.8.6 patchlevel 388
Ruby 1.8.7 patchlevel 249
Ruby 1.9.1 patchlevel 378 

The following example is available:

% xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=>8080).start' &
% wget http://www.example.com:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemswebrick<>= 1.4.0>= 1.4.0
ruby RubyGemswebrick<1.4.01.4.0

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.