Vulnerability Details : CVE-2015-4410
The Moped::BSON::ObjecId.legal? method in rubygem-moped before commit dd5a7c14b5d2e466f7875d079af71ad19774609b allows remote attackers to cause a denial of service (worker resource consumption) or perform a cross-site scripting (XSS) attack via a crafted string.
Vulnerability category: Cross site scripting (XSS)Input validationDenial of service
Products affected by CVE-2015-4410
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:a:moped_project:moped:-:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-4410
1.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-4410
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2015-4410
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-4410
-
https://seclists.org/oss-sec/2015/q2/653
oss-sec: Re: CVE Request: bson-ruby DoS and possible injectionMailing List;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161987.html
[SECURITY] Fedora 21 Update: rubygem-moped-1.5.3-1.fc21Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2015/06/06/3
oss-security - Re: CVE Request: bson-ruby DoS and possible injectionMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/75045
RubyGems BSON Multiple Denial of Service VulnerabilitiesThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1229757
1229757 – (CVE-2015-4410) CVE-2015-4410 rubygem-moped: Denial of Service with crafted ObjectId stringIssue Tracking;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161964.html
[SECURITY] Fedora 22 Update: rubygem-moped-1.5.3-1.fc22Mailing List;Third Party Advisory
-
https://github.com/mongoid/moped/commit/dd5a7c14b5d2e466f7875d079af71ad19774609b#diff-3b93602f64c2fe46d38efd9f73ef5358R24
Merge Replica Set Refactor · mongoid/moped@dd5a7c1 · GitHubExploit
-
https://www.securityfocus.com/bid/75045
RubyGems BSON Multiple Denial of Service VulnerabilitiesThird Party Advisory;VDB Entry
-
https://homakov.blogspot.ru/2012/05/saferweb-injects-in-various-ruby.html
Egor Homakov: Injects in Various Ruby Websites Through Regexp.Exploit;Third Party Advisory
-
https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
Mongo BSON Injection: Ruby Regexps Strike AgainExploit;Third Party Advisory
Jump to