cpe:/a:ruby-lang:ruby:2.2.0 cpe:/a:ruby-lang:ruby:2.2.1 cpe:/a:ruby-lang:ruby:2.2.2 cpe:/a:ruby-lang:ruby:2.2.3 cpe:/a:ruby-lang:ruby:2.2.4 cpe:/a:ruby-lang:ruby:2.2.5 cpe:/a:ruby-lang:ruby:2.2.6 cpe:/a:ruby-lang:ruby:2.2.7 cpe:/a:ruby-lang:ruby:2.3.0 cpe:/a:ruby-lang:ruby:2.3.1 cpe:/a:ruby-lang:ruby:2.3.2 cpe:/a:ruby-lang:ruby:2.3.3 cpe:/a:ruby-lang:ruby:2.3.4 cpe:/a:ruby-lang:ruby:2.4.0 cpe:/a:ruby-lang:ruby:2.4.1 CVE-2017-0898 2017-09-15T15:29:00.190-04:00 2018-07-14T21:29:01.553-04:00 6.4 NETWORK LOW NONE PARTIAL NONE PARTIAL http://nvd.nist.gov BID 100862 SECTRACK 1039363 DEBIAN DSA-4031 GENTOO GLSA-201710-18 REDHAT RHSA-2017:3485 REDHAT RHSA-2018:0378 REDHAT RHSA-2018:0583 REDHAT RHSA-2018:0585 UBUNTU USN-3685-1 MLIST [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update MISC https://github.com/mruby/mruby/issues/3722 MISC https://hackerone.com/reports/212241 MISC https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/ Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.