N/A

Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.

N/A

N/A

Ruby Web Form Object Hash Collision 拒绝服务漏洞

Ruby是日本软件开发者松本行弘所研发的一种跨平台、面向对象的动态类型编程语言。 Ruby早期版本至1.9.3-p327版本中存在漏洞，可被攻击者利用导致DoS（拒绝服务）。该漏洞源于程序在用字符串作为密钥对某对象进行哈希运算时，哈希生成函数发生错误。通过在发送的HTTP POST请求中加入特制的表单，攻击者可利用该漏洞造成哈希冲突，从而导致较高CPU占用率高。

N/A

N/A