CVE-2019-15845

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
ruby-langruby
2.4.0 ≤
𝑥
≤ 2.4.7
ruby-langruby
2.5.0 ≤
𝑥
≤ 2.5.6
ruby-langruby
2.6.0 ≤
𝑥
≤ 2.6.4
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.04
canonicalubuntu_linux
19.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jruby
bookworm
9.3.9.0+ds-8
fixed
sid
9.4.8.0+ds-1
fixed
trixie
9.4.8.0+ds-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jruby
eoan
not-affected
disco
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
ruby2.3
eoan
dne
disco
dne
bionic
dne
xenial
Fixed 2.3.1-2~ubuntu16.04.14
released
trusty
dne
ruby2.5
eoan
Fixed 2.5.5-4ubuntu2.1
released
disco
Fixed 2.5.5-1ubuntu1.1
released
bionic
Fixed 2.5.1-1ubuntu1.6
released
xenial
dne
trusty
dne
References
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
https://hackerone.com/reports/449617
https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
https://seclists.org/bugtraq/2019/Dec/31
https://seclists.org/bugtraq/2019/Dec/32
https://security.gentoo.org/glsa/202003-06
https://usn.ubuntu.com/4201-1/
https://www.debian.org/security/2019/dsa-4587
https://www.oracle.com/security-alerts/cpujan2020.html
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
https://hackerone.com/reports/449617
https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
https://seclists.org/bugtraq/2019/Dec/31
https://seclists.org/bugtraq/2019/Dec/32
https://security.gentoo.org/glsa/202003-06
https://usn.ubuntu.com/4201-1/
https://www.debian.org/security/2019/dsa-4587
https://www.oracle.com/security-alerts/cpujan2020.html