RubySec

Providing security resources for the Ruby community

CVE-2018-1000201 (ffi): ruby-ffi DDL loading issue on Windows OS

ADVISORIES

GEM

ffi

SEVERITY

CVSS v3: 7.8

CVSS v2: 6.8

PATCHED VERSIONS

  • >= 1.9.24

DESCRIPTION

ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.